Denial of Service Vulnerability in Incus Storage Bucket Management
CVE-2026-40195

7.1HIGH

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40195?

Incus, a system container and virtual machine manager, contains a vulnerability within its storage bucket import logic that can lead to a denial of service. Specifically, in versions prior to 7.0.0, the software fails to validate backup metadata, allowing an authenticated user to exploit this oversight. When processing the index.yaml file from an imported archive without ensuring the initialization of configuration objects, the system may encounter a nil-pointer dereference. This flaw can be leveraged by using a malicious or improperly formed index.yaml to repeatedly crash the Incus daemon, preventing legitimate users from accessing the service. This issue has been addressed in version 7.0.0.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-gc7...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40195 Data

JSON

Lxc

What is CVE-2026-40195?

Affected Version(s)

References

CVSS V4

Timeline