CVE-2026-40197: CWE-476: NULL Pointer Dereference in lxc incus
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
AI Analysis
Technical Summary
Incus versions before 7.0.0 have a null pointer dereference vulnerability (CWE-476) in the custom volume backup import subsystem. During snapshot import, the daemon iterates over the srcBackup.Config.VolumeSnapshots slice without validating that each element is non-nil. The yaml unmarshaler converts explicit null array elements from an attacker-controlled index.yaml into nil pointers. When the daemon dereferences fields such as Name, Config, Description, CreatedAt, and ExpiresAt on these nil elements, it crashes. This allows an authenticated user with storage volume feature access to cause a denial of service by crashing the daemon repeatedly. The vulnerability is addressed in Incus version 7.0.0.
Potential Impact
An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by supplying a malicious backup archive with null entries in the volume_snapshots array. This results in denial of service on the affected node. Repeated exploitation can keep the daemon offline, impacting availability. There is no indication of privilege escalation, data corruption, or remote code execution from the provided data.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. No other official remediation or temporary fix information is provided. Patch status is not explicitly confirmed beyond the fix in version 7.0.0; users should verify with the vendor advisory for the latest guidance.
CVE-2026-40197: CWE-476: NULL Pointer Dereference in lxc incus
Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus versions before 7.0.0 have a null pointer dereference vulnerability (CWE-476) in the custom volume backup import subsystem. During snapshot import, the daemon iterates over the srcBackup.Config.VolumeSnapshots slice without validating that each element is non-nil. The yaml unmarshaler converts explicit null array elements from an attacker-controlled index.yaml into nil pointers. When the daemon dereferences fields such as Name, Config, Description, CreatedAt, and ExpiresAt on these nil elements, it crashes. This allows an authenticated user with storage volume feature access to cause a denial of service by crashing the daemon repeatedly. The vulnerability is addressed in Incus version 7.0.0.
Potential Impact
An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by supplying a malicious backup archive with null entries in the volume_snapshots array. This results in denial of service on the affected node. Repeated exploitation can keep the daemon offline, impacting availability. There is no indication of privilege escalation, data corruption, or remote code execution from the provided data.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. No other official remediation or temporary fix information is provided. Patch status is not explicitly confirmed beyond the fix in version 7.0.0; users should verify with the vendor advisory for the latest guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T20:59:17.621Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fba9cccbff5d86105e9c32
Added to database: 5/6/2026, 8:51:24 PM
Last enriched: 5/6/2026, 9:06:38 PM
Last updated: 5/7/2026, 8:13:15 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.