GHSA-4xg6-52mh-fpw8: Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
A nil-pointer dereference vulnerability exists in the Incus daemon (incusd) in the function createDependentVolumesFromBackup. An authenticated user with can_create_instances permission can upload a specially crafted instance backup tarball containing malformed dependent volume entries with nil snapshot pointers or missing volume/pool fields. This causes the daemon to panic and crash, resulting in a persistent denial of service. The issue affects versions prior to 7.1.0.
AI Analysis
Technical Summary
The vulnerability is a nil-pointer dereference in the createDependentVolumesFromBackup function within internal/server/storage/backend.go of the Incus project. The function iterates over dependent volumes in a backup's config and dereferences sub-fields VolumeSnapshots[i], Volume, and Pool without checking for nil values. An attacker with authenticated access and can_create_instances permission can craft a backup tarball with dependent volumes containing nil snapshot pointers or missing volume or pool fields, triggering a panic in the daemon. This leads to a crash of incusd and persistent denial of service. The issue arises because the existing fix only checked the outer disk pointer for nil but did not guard nested pointers. The vulnerability affects versions before 7.1.0.
Potential Impact
An authenticated attacker with can_create_instances permission can cause the incusd daemon to crash by submitting a malicious instance backup containing malformed dependent volume entries. This results in a persistent denial of service condition, disrupting service availability. There is no indication of privilege escalation or data corruption beyond the crash. The severity is low due to the requirement for authenticated access and the impact limited to denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict can_create_instances permission to trusted users only to reduce risk. Monitor for daemon crashes and avoid importing untrusted backup tarballs with dependent volumes. No official patch links are provided in the current data.
GHSA-4xg6-52mh-fpw8: Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Description
A nil-pointer dereference vulnerability exists in the Incus daemon (incusd) in the function createDependentVolumesFromBackup. An authenticated user with can_create_instances permission can upload a specially crafted instance backup tarball containing malformed dependent volume entries with nil snapshot pointers or missing volume/pool fields. This causes the daemon to panic and crash, resulting in a persistent denial of service. The issue affects versions prior to 7.1.0.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability is a nil-pointer dereference in the createDependentVolumesFromBackup function within internal/server/storage/backend.go of the Incus project. The function iterates over dependent volumes in a backup's config and dereferences sub-fields VolumeSnapshots[i], Volume, and Pool without checking for nil values. An attacker with authenticated access and can_create_instances permission can craft a backup tarball with dependent volumes containing nil snapshot pointers or missing volume or pool fields, triggering a panic in the daemon. This leads to a crash of incusd and persistent denial of service. The issue arises because the existing fix only checked the outer disk pointer for nil but did not guard nested pointers. The vulnerability affects versions before 7.1.0.
Potential Impact
An authenticated attacker with can_create_instances permission can cause the incusd daemon to crash by submitting a malicious instance backup containing malformed dependent volume entries. This results in a persistent denial of service condition, disrupting service availability. There is no indication of privilege escalation or data corruption beyond the crash. The severity is low due to the requirement for authenticated access and the impact limited to denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict can_create_instances permission to trusted users only to reduce risk. Monitor for daemon crashes and avoid importing untrusted backup tarballs with dependent volumes. No official patch links are provided in the current data.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-4xg6-52mh-fpw8
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48754"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a3ef78d27e9c79719ff4970
Added to database: 06/26/2026, 22:05:01 UTC
Last enriched: 06/26/2026, 22:15:53 UTC
Last updated: 06/26/2026, 22:15:53 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.