CVE-2026-40195

Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9	Exploit Vendor Advisory
https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*

History

07 May 2026, 17:07

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Linuxcontainers Linuxcontainers incus
References	~~() https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9 -~~	() https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:linuxcontainers:incus::::::::

06 May 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-06 21:16

Updated : 2026-05-07 17:07

NVD link : CVE-2026-40195

Mitre link : CVE-2026-40195

CVE.ORG link : CVE-2026-40195

JSON object : View

Products Affected

linuxcontainers

incus

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-40195", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-06T21:16:00.793", "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0."}], "lastModified": "2026-05-07T17:07:08.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF8EBB4B-C1F0-44C5-B063-9CF8EB6E0972", "versionEndExcluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}