Description
Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when Incus processes a backup archive containing a valid inline backup/index.yaml but a malformed legacy backup/container/backup.yaml file. During the import flow the archive is extracted and the legacy file is reparsed, causing ParseConfigYamlFile() to produce a config structure without a container section. Downstream components then dereference this nil container, which results in a crash of the Incus daemon. The affected CWE is 476 (Null Pointer Dereference). The primary impact is a denial of service against the Incus service, leading to temporary unavailability of containers or VMs until the daemon is restarted.

Affected Systems

All Incus installations using versions prior to 7.0.0 are affected. This includes the 'lxc:incus' product family. No additional version matrix is available beyond the pre-7.0.0 cutoff.

Risk and Exploitability

The CVSS base score is 6.5, representing a moderate severity. The EPSS score is not available, which means current data does not provide a concrete exploitation probability, but the absence of a KEV listing further indicates no confirmed public exploitation. The attack vector requires an authenticated user with permission to import instance backups; such a user can craft a backup archive that trips the crash during the restore path after extraction has begun. The crash causes the Incus daemon to terminate, requiring a restart and temporarily denying service to all containers managed by that instance.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 7.0.0 or later, which contains the patch that validates the legacy backup.yaml before processing.
  • If an upgrade cannot be performed immediately, restrict the ability to import backups to the least privileged users or suspend backup import functionality until a fix is available.
  • Monitor Incus logs for recurring panic or crash events related to backup import and alert administrators when a failure occurs.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6244-1 incus security update
Debian DSA Debian DSA DSA-6247-1 lxd security update
Github GHSA Github GHSA GHSA-x5r6-jr56-89pv Incus has Nil Dereferences on Restore via Malformed YAML
History

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Linuxcontainers
Linuxcontainers incus
CPEs cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*
Vendors & Products Linuxcontainers
Linuxcontainers incus

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0.
Title Incus: Nil Dereferences on Restore via Malformed YAML
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Linuxcontainers Incus
Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:45:56.918Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41684

cve-icon Vulnrichment

Updated: 2026-05-07T13:45:54.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T14:16:03.350

Modified: 2026-05-07T19:51:01.190

Link: CVE-2026-41684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:00:13Z

Weaknesses