CVE-2026-41685: CWE-770: Allocation of Resources Without Limits or Throttling in lxc incus
CVE-2026-41685 is a medium severity vulnerability in the Incus container and virtual machine manager prior to version 7. 0. 0. Authenticated users could upload large amounts of data without limits or throttling, potentially exhausting disk space on the host system and causing a denial of service. Users employing storage. images_volume and storage. backups_volume are less impacted since uploads are stored on separate volumes rather than the host filesystem. This issue has been addressed in Incus version 7. 0. 0.
AI Analysis
Technical Summary
Incus versions before 7.0.0 have a resource allocation vulnerability (CWE-770) where authenticated users can upload large data volumes without restrictions, leading to disk space exhaustion on the host system. This can disrupt the host's operation by filling its disk. The default configuration on IncusOS mitigates this somewhat by storing large uploads on dedicated volumes (storage.images_volume and storage.backups_volume) instead of the host filesystem. The vulnerability is fixed in version 7.0.0.
Potential Impact
The vulnerability allows authenticated users to consume unlimited disk space on the host system by uploading large amounts of data, potentially causing the host to run out of disk space and become unavailable. There is no impact on confidentiality or integrity, only availability is affected. The impact is reduced for users who have configured storage.images_volume and storage.backups_volume, as uploads are isolated from the host filesystem in those cases.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. Since no official patch link or advisory is provided, confirm the upgrade path with the vendor's official release notes. Users relying on storage.images_volume and storage.backups_volume have partial mitigation by default. Patch status is not explicitly confirmed beyond the version update; verify with vendor advisories for current remediation guidance.
CVE-2026-41685: CWE-770: Allocation of Resources Without Limits or Throttling in lxc incus
Description
CVE-2026-41685 is a medium severity vulnerability in the Incus container and virtual machine manager prior to version 7. 0. 0. Authenticated users could upload large amounts of data without limits or throttling, potentially exhausting disk space on the host system and causing a denial of service. Users employing storage. images_volume and storage. backups_volume are less impacted since uploads are stored on separate volumes rather than the host filesystem. This issue has been addressed in Incus version 7. 0. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Incus versions before 7.0.0 have a resource allocation vulnerability (CWE-770) where authenticated users can upload large data volumes without restrictions, leading to disk space exhaustion on the host system. This can disrupt the host's operation by filling its disk. The default configuration on IncusOS mitigates this somewhat by storing large uploads on dedicated volumes (storage.images_volume and storage.backups_volume) instead of the host filesystem. The vulnerability is fixed in version 7.0.0.
Potential Impact
The vulnerability allows authenticated users to consume unlimited disk space on the host system by uploading large amounts of data, potentially causing the host to run out of disk space and become unavailable. There is no impact on confidentiality or integrity, only availability is affected. The impact is reduced for users who have configured storage.images_volume and storage.backups_volume, as uploads are isolated from the host filesystem in those cases.
Mitigation Recommendations
This vulnerability is fixed in Incus version 7.0.0. Users should upgrade to version 7.0.0 or later to remediate this issue. Since no official patch link or advisory is provided, confirm the upgrade path with the vendor's official release notes. Users relying on storage.images_volume and storage.backups_volume have partial mitigation by default. Patch status is not explicitly confirmed beyond the version update; verify with vendor advisories for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T03:53:24.406Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fca382cbff5d8610fd58fd
Added to database: 5/7/2026, 2:36:50 PM
Last enriched: 5/7/2026, 2:51:57 PM
Last updated: 5/7/2026, 3:44:02 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.