CVE-2026-41648
Memory Exhaustion in Incus via Malicious YAML
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | incus | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41648 is a vulnerability in Incus, a system container and virtual machine manager, affecting versions prior to 7.0.0. It involves an unbounded YAML metadata decode issue when parsing user-provided image and backup tarballs.
An authenticated user can upload a crafted tarball containing a YAML file with a large declared size. The YAML decoder reads and allocates memory proportional to this size without any restrictions, which can lead to excessive memory consumption.
This happens because the functions responsible for decoding YAML do not check the size of the tar entry or limit the reader, allowing very large YAML documents to be loaded into memory.
The amplification factor is about 5 to 6 times the input size, meaning a relatively small YAML file can cause a much larger memory allocation, potentially exhausting server memory or degrading performance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-41648 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can cause the Incus server to consume excessive amounts of memory when processing crafted image or backup tarballs.
As a result, the server may run out of memory, leading to crashes or degraded performance due to increased garbage collection pressure.
This can disrupt services relying on Incus, causing downtime or instability in container or virtual machine management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the parsing of user-provided image and backup tarballs containing large YAML files without size restrictions, leading to excessive memory consumption.
To detect exploitation attempts or presence of this vulnerability on your system, you can monitor for unusually high memory usage by the Incus daemon, especially during image or backup imports.
Additionally, inspecting uploaded tarballs for large YAML files (e.g., metadata.yaml or backup/index.yaml) with unusually large declared sizes in the tar headers can help identify potentially crafted malicious files.
Suggested commands include:
- Use system monitoring tools to check Incus daemon memory usage, e.g., `top`, `htop`, or `ps aux | grep incus`.
- Inspect tarball contents and sizes with `tar -tvf <tarball>` to look for large YAML files.
- Extract and check the size of YAML files inside tarballs using commands like `tar -xOf <tarball> metadata.yaml | wc -c`.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Incus to version 7.0.0 or later, where this vulnerability has been patched by adding size limits on tar entries before YAML decoding.
Until the upgrade can be performed, restrict or carefully validate user uploads of image and backup tarballs to prevent crafted large YAML files from being processed.
Monitoring Incus daemon memory usage and limiting resource allocation can also help reduce the impact of potential exploitation.