CVE-2026-33743 is a resource allocation vulnerability classified under CWE-770, found in Incus, a system container and virtual machine manager developed by the LXC project. Prior to version 6.23.0, Incus improperly handles resource allocation when processing storage bucket backups. Specifically, a maliciously crafted storage bucket backup can cause Incus to allocate resources without any limits or throttling, leading to exhaustion of critical resources within the Incus daemon process. An attacker who has access to the storage bucket feature can exploit this flaw by repeatedly submitting crafted backups, causing the Incus daemon to crash. This results in a denial of service condition affecting the control plane API, which manages container and VM lifecycle operations. Importantly, this vulnerability does not impact the availability or operation of running workloads, containers, or virtual machines themselves; only the management interface is affected. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (access to storage bucket feature), no user interaction, and impacts availability only. No known exploits are reported in the wild as of the publication date. The issue is resolved in Incus version 6.23.0 by implementing proper resource allocation limits and throttling mechanisms during storage bucket backup processing.

The primary impact of CVE-2026-33743 is a denial of service against the Incus control plane API, which can disrupt container and VM management operations such as creation, deletion, and configuration changes. While running workloads remain unaffected, the inability to manage containers or virtual machines can severely hinder operational agility and incident response capabilities. Organizations relying on Incus for container and VM orchestration may experience downtime in administrative functions, potentially delaying critical updates or scaling actions. In environments with automated orchestration or CI/CD pipelines dependent on Incus API availability, this vulnerability could cause cascading operational disruptions. Repeated exploitation could keep the control plane offline for extended periods, increasing operational risk. Although exploitation requires some privilege level, insider threats or compromised accounts with storage bucket access could leverage this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

The definitive mitigation is to upgrade Incus to version 6.23.0 or later, where the vulnerability is patched. Until upgrade is possible, organizations should restrict access to the storage bucket feature to trusted and minimal user sets, enforcing strict access controls and monitoring for unusual backup activity. Implement rate limiting or throttling at the network or application layer to detect and block repeated storage bucket backup requests that could trigger resource exhaustion. Employ logging and alerting on Incus daemon crashes or restarts to enable rapid detection of attempted exploitation. Consider isolating the Incus management API behind firewalls or VPNs to reduce exposure. Regularly audit user privileges to ensure only necessary users have storage bucket access. In environments using automated tooling, validate backup inputs to prevent injection of crafted payloads. Finally, maintain up-to-date backups and incident response plans to recover quickly from potential DoS conditions.