CVE-2026-40197
Denial of Service in Incus via Volume Snapshot Import
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Incus, a system container and virtual machine manager, in versions before 7.0.0. It is caused by missing validation logic in the storage volume import process. Specifically, during the import of custom volume backups, the daemon assumes that each element in the volume snapshots list is properly initialized. However, an attacker can craft a backup archive containing null entries in this list, which leads to a nil-pointer dereference when the daemon tries to access fields of these null elements.
This nil-pointer dereference causes the Incus daemon to crash, resulting in a denial of service on the affected node. Because the attacker can repeatedly trigger this condition, they can keep the Incus service offline. This issue was fixed in version 7.0.0.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition on the affected node running Incus. An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by supplying a specially crafted backup archive. This crash disrupts normal operations, potentially causing downtime or service unavailability.
Repeated exploitation of this vulnerability can keep the Incus daemon offline, which may affect system stability and availability of containers or virtual machines managed by Incus.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Incus system container and virtual machine manager to version 7.0.0 or later, where the issue has been fixed.
Until the upgrade is applied, restrict authenticated users' access to the storage volume feature to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service by crashing the Incus daemon repeatedly, which can lead to service unavailability.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the resulting denial of service could impact availability requirements that are part of these regulations.
However, there is no direct information provided about data breaches, unauthorized access, or data integrity issues related to this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the Incus daemon for crashes or unexpected terminations during storage volume import operations, especially when importing custom volume backup archives.
Since the issue occurs when importing a maliciously crafted backup archive containing null entries in the volume_snapshots array, detection involves verifying the integrity and structure of backup archives before import.
There are no specific commands provided in the available resources to detect this vulnerability directly.