GHSA-xhqx-mgh3-3h7q: Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
A nil-pointer dereference vulnerability exists in the Incus daemon's CreateCustomVolumeFromBackup function, where the ExpiresAt field of volume snapshots is dereferenced without a nil check. An authenticated user with permission to create storage volumes can trigger a daemon crash by uploading a crafted backup tarball missing the expires_at field in volume snapshots, causing a denial of service.
AI Analysis
Technical Summary
The Incus daemon (incusd) contains a vulnerability in the CreateCustomVolumeFromBackup function within internal/server/storage/backend.go. The function dereferences the ExpiresAt field, a pointer to time.Time, of each volume snapshot without verifying it is non-nil. This leads to a runtime panic if the expires_at field is omitted in the uploaded backup's volume_snapshots YAML. An attacker with the can_create_storage_volumes entitlement can exploit this by uploading a malicious custom volume backup tarball, causing the incusd process to crash and resulting in a persistent denial of service. This issue is a sibling-field variant of a previously known vulnerability (GHSA-r7w7, CVE-2026-40197).
Potential Impact
Exploitation causes the incusd daemon to panic and crash due to an unhandled nil pointer dereference. This results in a denial of service condition where the storage volume creation service is unavailable until the daemon is restarted. The vulnerability requires authenticated access with specific permissions, limiting the attack surface. There is no indication of code execution or data corruption beyond service disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to users with the can_create_storage_volumes entitlement to trusted personnel only. Avoid uploading custom volume backups that omit the expires_at field in volume snapshots. Monitor vendor communications for an official fix or update that adds proper nil checks to prevent the panic.
GHSA-xhqx-mgh3-3h7q: Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Description
A nil-pointer dereference vulnerability exists in the Incus daemon's CreateCustomVolumeFromBackup function, where the ExpiresAt field of volume snapshots is dereferenced without a nil check. An authenticated user with permission to create storage volumes can trigger a daemon crash by uploading a crafted backup tarball missing the expires_at field in volume snapshots, causing a denial of service.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Incus daemon (incusd) contains a vulnerability in the CreateCustomVolumeFromBackup function within internal/server/storage/backend.go. The function dereferences the ExpiresAt field, a pointer to time.Time, of each volume snapshot without verifying it is non-nil. This leads to a runtime panic if the expires_at field is omitted in the uploaded backup's volume_snapshots YAML. An attacker with the can_create_storage_volumes entitlement can exploit this by uploading a malicious custom volume backup tarball, causing the incusd process to crash and resulting in a persistent denial of service. This issue is a sibling-field variant of a previously known vulnerability (GHSA-r7w7, CVE-2026-40197).
Potential Impact
Exploitation causes the incusd daemon to panic and crash due to an unhandled nil pointer dereference. This results in a denial of service condition where the storage volume creation service is unavailable until the daemon is restarted. The vulnerability requires authenticated access with specific permissions, limiting the attack surface. There is no indication of code execution or data corruption beyond service disruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to users with the can_create_storage_volumes entitlement to trusted personnel only. Avoid uploading custom volume backups that omit the expires_at field in volume snapshots. Monitor vendor communications for an official fix or update that adds proper nil checks to prevent the panic.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xhqx-mgh3-3h7q
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48756"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- LOW
- Cvss Version
- 4.0
Threat ID: 6a3ef78d27e9c79719ff4948
Added to database: 06/26/2026, 22:05:01 UTC
Last enriched: 06/26/2026, 22:15:41 UTC
Last updated: 06/26/2026, 22:15:41 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.