Denial of Service Vulnerability in Incus System Container Manager
CVE-2026-40197

7.1HIGH

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40197?

Incus, a system container and virtual machine manager, is impacted by a vulnerability in the storage volume import logic present before version 7.0.0. The flaw arises from insufficient validation within the custom volume backup import subsystem, which entails a nil-pointer dereference during import operations. Specifically, when processing entries from the srcBackup.Config.VolumeSnapshots, the daemon incorrectly assumes the elements are initialized. Consequently, if an attacker supplies a backup archive containing a null entry, it triggers a nil-pointer dereference, crashing the Incus daemon. This vulnerability can be exploited repeatedly to keep Incus offline, resulting in a persistent denial of service on the affected node. An upgrade to version 7.0.0 or later is necessary to mitigate this issue.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-r7w...

x_refsource_CONFIRM

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40197 Data

JSON

Lxc

What is CVE-2026-40197?

Affected Version(s)

References

CVSS V4

Timeline