CVE-2026-41647
Analyzed Analyzed - Analysis Complete
Memory Corruption in Incus Storage Backup Import

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41647
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxcontainers incus to 7.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41647 is a vulnerability in Incus, a system container and virtual machine manager. The issue arises when an authenticated user imports a truncated or corrupted storage bucket backup file. Specifically, the problem is a nil-pointer dereference in the code that processes tar archive entries during the import. When the code encounters a non-EOF error while reading the archive, it incorrectly assumes the header is valid and tries to access it, causing the daemon to crash.

This vulnerability is due to missing error handling in the function that uploads files from the backup archive, which leads to a panic and daemon crash when processing malformed backup files.

Impact Analysis

This vulnerability can impact you by allowing an authenticated Incus user to cause the daemon to crash. The crash results from importing a malformed or truncated storage bucket backup file, which triggers a nil-pointer dereference in the daemon.

The impact is primarily on availability, as the daemon crash can disrupt the normal operation of the Incus system container and virtual machine manager, potentially causing downtime or service interruptions.

Detection Guidance

This vulnerability involves a daemon crash triggered by importing a truncated or malformed storage bucket backup file in Incus prior to version 7.0.0. Detection would involve monitoring the Incus daemon for crashes or panic logs related to nil-pointer dereferences during backup import operations.

Specifically, you can check Incus daemon logs for panic messages referencing nil-pointer dereferences or errors during the import of backup files.

There are no explicit commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The primary mitigation step is to upgrade Incus to version 7.0.0 or later, where this vulnerability has been patched.

Until the upgrade is applied, avoid importing truncated or malformed storage bucket backup files, especially from untrusted sources, as this can trigger the daemon crash.

Monitor the Incus daemon for crashes and consider restricting authenticated user permissions to limit the ability to import backup files.

Compliance Impact

The vulnerability causes a daemon crash when an authenticated user imports a truncated storage bucket backup file, leading to an availability impact.

There is no information provided about any direct impact on confidentiality or integrity of data, nor any explicit mention of effects on compliance with standards such as GDPR or HIPAA.

Given the nature of the vulnerability (availability impact only), it may affect system availability requirements under some regulations, but no specific compliance implications are detailed in the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart