CVE-2026-40195
Analyzed Analyzed - Analysis Complete
Denial of Service in Incus via Malformed Backup Import

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxcontainers incus to 7.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Incus, a system container and virtual machine manager, in versions before 7.0.0. It is caused by missing validation logic in the storage bucket import process. Specifically, when the Incus daemon processes the index.yaml file from an imported backup archive, it accesses parts of the backup configuration without verifying if the configuration object is properly initialized.

If the index.yaml file is malicious or malformed and omits the required config block, this leads to a nil-pointer dereference error during the bucket import operation, causing the Incus daemon to crash.

An authenticated user with access to the storage bucket feature can exploit this to repeatedly crash the daemon, effectively causing a denial of service.

Impact Analysis

The primary impact of this vulnerability is a denial of service condition. An attacker who is authenticated and has access to the storage bucket feature can cause the Incus daemon to crash repeatedly by supplying a malformed backup archive.

This can keep the Incus service offline, disrupting container and virtual machine management operations that depend on it.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Incus system container and virtual machine manager to version 7.0.0 or later, where the issue has been fixed.

Until the upgrade is applied, restrict authenticated users' access to the storage bucket feature to prevent exploitation of the missing validation logic that causes the daemon to crash.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart