CVE-2026-41684
Incus Daemon Crash via Malformed Legacy Backup
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | incus | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with backup import permissions to crash the Incus daemon, causing a denial of service by exploiting a crafted backup archive. This impacts system availability but does not directly affect confidentiality or integrity of data.
Since the vulnerability primarily causes a crash (availability impact) without data leakage or unauthorized data modification, its direct effect on compliance with standards like GDPR or HIPAAβwhich emphasize data confidentiality and integrityβis limited.
However, availability is also a component of many compliance frameworks. A denial of service could potentially affect compliance if it disrupts critical services or data access required by these regulations.
Can you explain this vulnerability to me?
CVE-2026-41684 is a vulnerability in Incus, a system container and virtual machine manager. It occurs because the system trusts an inline backup/index.yaml configuration file during import, while a malformed legacy backup/container/backup.yaml file that lacks a container section is only parsed later during the restore process. This causes functions like UpdateInstanceConfig() and internalImportFromBackup() to dereference a nil container pointer, leading to a crash of the Incus daemon.
An authenticated user with permission to import instance backups can exploit this by crafting a backup archive with a valid inline config but a malformed legacy backup.yaml file, triggering the crash during the restore path after archive extraction has started.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service through crashing the Incus daemon. Since the crash occurs during the restore process of a backup, it can disrupt system availability and operations dependent on Incus.
The CVSS score of 6.5 indicates a medium severity with a high impact on availability, meaning the main risk is that the service managing containers and virtual machines becomes unavailable due to the crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes of the Incus daemon during the import of instance backups, especially when an authenticated user with backup import permissions attempts to restore from a backup archive.
Detection involves verifying the integrity and structure of backup archives before import, specifically checking that the legacy backup/container/backup.yaml file contains a valid container section and is not malformed.
While no specific commands are provided, administrators can use system logs to identify daemon crashes and inspect backup archives manually or with custom scripts to validate the presence and correctness of the container section in backup.yaml files.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, ensure that backup archives are validated before import to confirm that the legacy backup/container/backup.yaml file contains a proper container section and is not malformed.
Restrict backup import permissions to trusted users only, minimizing the risk of malicious crafted backups being imported.
Upgrade Incus to version 7.0.0 or later, where this issue has been patched.