CVE-2026-41684: CWE-476: NULL Pointer Dereference in lxc incus
CVE-2026-41684 is a medium severity vulnerability in the Incus container and VM manager prior to version 7. 0. 0. It involves a NULL pointer dereference triggered during the restore process of instance backups. An authenticated user with permission to import backups can craft a backup archive with a valid inline config but a malformed legacy backup. yaml file that omits the container section. This causes the Incus daemon to crash after archive extraction begins. The issue has been fixed in version 7. 0. 0.
AI Analysis
Technical Summary
Incus versions before 7.0.0 trust the inline backup/index.yaml config during backup import but only parse the legacy backup/container/backup.yaml file if the inline config is nil. A crafted backup archive can contain a valid inline config and a malformed legacy backup.yaml missing the container section. The parsing function accepts YAML without a container section, leading to downstream code dereferencing a nil container pointer, causing a daemon crash. This occurs in the restore path after extraction starts, affecting functions like backup.UpdateInstanceConfig() and internalImportFromBackup(). The vulnerability is a NULL pointer dereference (CWE-476) exploitable by an authenticated user with import permissions. The issue is patched in Incus 7.0.0.
Potential Impact
An authenticated user with permission to import instance backups can cause a denial of service by crashing the Incus daemon during the restore process. There is no indication of confidentiality or integrity impact, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate the issue. Patch status is not explicitly confirmed beyond the version bump, so verify with vendor advisories for official fixes. Until patched, restrict import permissions to trusted users only to reduce risk.
CVE-2026-41684: CWE-476: NULL Pointer Dereference in lxc incus
Description
CVE-2026-41684 is a medium severity vulnerability in the Incus container and VM manager prior to version 7. 0. 0. It involves a NULL pointer dereference triggered during the restore process of instance backups. An authenticated user with permission to import backups can craft a backup archive with a valid inline config but a malformed legacy backup. yaml file that omits the container section. This causes the Incus daemon to crash after archive extraction begins. The issue has been fixed in version 7. 0. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus versions before 7.0.0 trust the inline backup/index.yaml config during backup import but only parse the legacy backup/container/backup.yaml file if the inline config is nil. A crafted backup archive can contain a valid inline config and a malformed legacy backup.yaml missing the container section. The parsing function accepts YAML without a container section, leading to downstream code dereferencing a nil container pointer, causing a daemon crash. This occurs in the restore path after extraction starts, affecting functions like backup.UpdateInstanceConfig() and internalImportFromBackup(). The vulnerability is a NULL pointer dereference (CWE-476) exploitable by an authenticated user with import permissions. The issue is patched in Incus 7.0.0.
Potential Impact
An authenticated user with permission to import instance backups can cause a denial of service by crashing the Incus daemon during the restore process. There is no indication of confidentiality or integrity impact, only availability is affected. No known exploits are reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate the issue. Patch status is not explicitly confirmed beyond the version bump, so verify with vendor advisories for official fixes. Until patched, restrict import permissions to trusted users only to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T03:53:24.406Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fca382cbff5d8610fd58f9
Added to database: 5/7/2026, 2:36:50 PM
Last enriched: 5/7/2026, 2:52:04 PM
Last updated: 5/7/2026, 3:38:41 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.