CVE-2026-33743
Denial of Service via Storage Bucket Crash in Incus
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 6.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The main impact of this vulnerability is a denial of service condition on the Incus control plane API.
An attacker with access to the storage bucket feature can repeatedly crash the Incus daemon, causing the server to remain offline.
While running containers and virtual machines are not affected and will continue to operate, the management and control functions provided by the Incus daemon will be unavailable during the attack.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Incus to version 6.23.0 or later, as this version fixes the issue.
Additionally, restrict user access to the Incus storage bucket feature to prevent unauthorized users from exploiting the specially crafted storage bucket backup attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service (DoS) condition on the Incus daemon, which can keep the server offline and impact the availability of the control plane API.
Since the vulnerability does not impact the confidentiality or integrity of data, and running workloads, containers, and virtual machines remain operational, it primarily affects availability.
In terms of compliance with standards like GDPR or HIPAA, which require ensuring availability of systems and services, this vulnerability could pose a risk to meeting availability requirements.
However, there is no direct information provided about specific compliance impacts or mitigations related to this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Incus daemon (incusd) for crashes or panic logs related to the storage bucket backup restore process.
Specifically, look for panic messages in the daemon logs indicating a runtime error such as: panic: runtime error: slice bounds out of range [14:8] in the TransferManager.UploadAllFiles function.
To detect attempts to exploit this vulnerability, you can check for the presence of specially crafted tar archives being imported into storage pools, especially those containing entries with header names shorter than the expected prefix "backup/bucket/".
Suggested commands to help detect this issue include:
- Check Incus daemon logs for panic messages: sudo journalctl -u incusd | grep panic
- Monitor for daemon crashes or restarts: sudo systemctl status incusd
- If you have access to storage bucket backups, inspect tar archives for suspicious entries with short header names, for example using tar command: tar -tf backup.tar | grep -v '^backup/bucket/'
Can you explain this vulnerability to me?
This vulnerability affects Incus, a system container and virtual machine manager. Before version 6.23.0, an attacker with access to the storage bucket feature can create a specially crafted storage bucket backup that causes the Incus daemon to crash.
Repeated exploitation of this flaw can keep the server offline by causing a denial of service on the control plane API.
However, this vulnerability does not affect running workloads, containers, or virtual machines, which will continue to operate normally.