Description
Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null-pointer dereference occurs during the import of a truncated S3 bucket backup file in Incus, a system container and virtual machine manager. The flaw leads to a daemon crash, resulting in a denial of service that can affect the availability of the entire Incus service on the host. The weakness is classified as CWE-476, indicating a lack of proper null reference checks during processing.

Affected Systems

The vulnerability impacts the Incus product from the lxc:incus vendor. All releases before version 7.0.0 are affected, as the fix was introduced in the 7.0.0 release. Users running earlier versions should verify their installed version and plan to upgrade.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. No EPSS score is available, so the likelihood of exploitation is unknown, but the flaw requires an authenticated user with the ability to import a backup. The issue is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. Attackers could trigger the crash by successfully authenticating to the Incus daemon and importing a crafted, incomplete backup file, causing the service to become unavailable.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Incus 7.0.0 or later, which removes the null‑reference error.
  • Until the upgrade can be applied, avoid importing storage bucket backups that might be incomplete or corrupted, and restrict permissions for backup import operations to trusted users only.
  • Monitor system logs for unexpected backup import attempts and daemon crashes, and ensure the Incus service is configured to run with high availability where possible.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Github GHSA Github GHSA GHSA-fwj8-62r8-8p8m Incus has Nil-Pointer Dereference via S3 Bucket Import
History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.
Title Incus: Nil-Pointer Dereference via S3 Bucket Import
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:54:39.907Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41647

cve-icon Vulnrichment

Updated: 2026-05-07T13:54:33.119Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T14:16:03.020

Modified: 2026-05-07T19:52:13.737

Link: CVE-2026-41647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:00:13Z

Weaknesses