CVE-2026-40251: CWE-129: Improper Validation of Array Index in lxc incus
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
AI Analysis
Technical Summary
Incus, a system container and virtual machine manager, contains an out-of-bounds array indexing vulnerability (CWE-129) in versions before 7.0.0. The flaw exists in the backup restore subsystem's handling of snapshot metadata arrays during storage volume import. The guard condition used to check array bounds is incorrect, allowing indexing beyond the end of the metadata slice when processing physical snapshots from a backup archive. An attacker with authenticated access to the storage volume feature can submit a backup archive with manipulated snapshot metadata, causing the daemon to crash due to an out-of-bounds panic. This results in a denial of service condition. The vulnerability is addressed in Incus version 7.0.0.
Potential Impact
An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by exploiting an out-of-bounds array indexing vulnerability. This leads to a denial of service by repeatedly crashing the daemon and keeping it offline. There is no indication of remote code execution or data corruption beyond the denial of service impact.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the fix is stated to be included in version 7.0.0. Until upgraded, restrict access to the storage volume feature to trusted users only to reduce risk.
CVE-2026-40251: CWE-129: Improper Validation of Array Index in lxc incus
Description
Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus, a system container and virtual machine manager, contains an out-of-bounds array indexing vulnerability (CWE-129) in versions before 7.0.0. The flaw exists in the backup restore subsystem's handling of snapshot metadata arrays during storage volume import. The guard condition used to check array bounds is incorrect, allowing indexing beyond the end of the metadata slice when processing physical snapshots from a backup archive. An attacker with authenticated access to the storage volume feature can submit a backup archive with manipulated snapshot metadata, causing the daemon to crash due to an out-of-bounds panic. This results in a denial of service condition. The vulnerability is addressed in Incus version 7.0.0.
Potential Impact
An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by exploiting an out-of-bounds array indexing vulnerability. This leads to a denial of service by repeatedly crashing the daemon and keeping it offline. There is no indication of remote code execution or data corruption beyond the denial of service impact.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. Patch status is not explicitly confirmed in the vendor advisory, but the fix is stated to be included in version 7.0.0. Until upgraded, restrict access to the storage volume feature to trusted users only to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T17:31:45.786Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fba9cccbff5d86105e9c3c
Added to database: 5/6/2026, 8:51:24 PM
Last enriched: 5/6/2026, 9:06:24 PM
Last updated: 5/7/2026, 2:01:05 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.