CVE-2026-40243
TLS Certificate Validation Bypass in Incus
Publication date: 2026-05-06
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Incus versions before 7.0.0, specifically in the TLS validation logic used for connecting to the OVN database. The OVN client disables the standard Go TLS server verification and replaces it with custom peer-certificate verification. However, this custom verifier does not properly anchor trust in the configured Certificate Authority (CA) certificate. Instead, it builds the trust root from certificates provided by the peer during the handshake, ignoring the configured CA as the trust anchor.
As a result, an attacker who can impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain. Incus will accept this certificate as valid, allowing the attacker to impersonate the OVN database endpoint. This defeats the intended CA-based trust model and enables endpoint impersonation by an active attacker.
This issue is fixed in Incus version 7.0.0.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to impersonate the OVN database endpoint by exploiting broken TLS validation logic, which defeats the intended CA-based trust model for database connections.
This could potentially lead to unauthorized access or interception of sensitive data transmitted between the system and the OVN database.
Such unauthorized access or interception may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require secure handling and protection of sensitive data.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
How can this vulnerability impact me? :
This vulnerability can allow an attacker positioned on the management network to impersonate the OVN database endpoint by presenting a rogue certificate. This can lead to unauthorized access to the OVN database connection, potentially allowing the attacker to intercept, manipulate, or disrupt communications between Incus and the OVN database.
Such unauthorized access could compromise the integrity and confidentiality of the data exchanged, potentially affecting the security of system containers and virtual machines managed by Incus.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Incus version 7.0.0. Immediate mitigation involves upgrading Incus to version 7.0.0 or later.
Since the issue involves broken TLS validation logic in OVN database connections, ensure that your OVN endpoints are not exposed to untrusted networks and restrict access on the management network to trusted entities only.