Description
Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0.
Published: 2026-05-07
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incus, the system container and virtual machine manager, had a flaw where image and backup tarballs were unpacked and their YAML metadata parsed without size restrictions. A crafted file could cause the YAML parser to allocate a very large amount of memory, leading the host to exhaust available RAM and become unresponsive. The vulnerability is a classic example of unbounded memory allocation—CWE‑770—and can be exploited by an authenticated user to trigger a denial of service.

Affected Systems

The weakness affected all Incus releases prior to version 7.0.0. Users running the open‑source distribution (vendor LXC, product Incus) before that patch were vulnerable. The advisory recommends using the 7.0.0 release or newer, which implements memory limits during YAML parsing.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate severity. Although no EPSS score is publicly available and the vulnerability is not listed in the CISA KEV catalog, the exploit requires an authenticated upload of a malicious image or backup. In environments where image import is available to users, the attacker can intentionally cause server memory exhaustion by repeatedly submitting oversized YAML files, potentially taking the service offline. The risk is therefore moderate but could be high in highly available or multi‑tenant deployments.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 7.0.0 or later, where YAML parsing enforces a memory limit.
  • Restrict the ability to upload or import images and backups to trusted administrators only, using role‑based access controls or network segmentation.
  • Apply system resource limits (e.g., ulimit constraints or cgroup quotas) to the Incus daemon to curb memory usage in the event of an outage.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Debian DSA Debian DSA DSA-6247-1 lxd security update
Github GHSA Github GHSA GHSA-67wx-r9xr-x75x Incus has Unbounded YAML Metadata Decode via Parsing
History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0.
Title Incus: Unbounded YAML Metadata Decode via Parsing
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T15:11:42.272Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41648

cve-icon Vulnrichment

Updated: 2026-05-07T15:09:54.698Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T14:16:03.200

Modified: 2026-05-07T19:51:19.283

Link: CVE-2026-41648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:00:13Z

Weaknesses