Vulnerability in Incus System Container Manager with OVN Database Connection
CVE-2026-40243

2.3LOW

Key Information:

Vendor

Lxc

Status
Incus
Vendor
CVE Published:
6 May 2026

What is CVE-2026-40243?

The Incus system container and virtual machine manager contains a vulnerability in its OVN database connection logic. In versions prior to 7.0.0, there is a flaw in the TLS validation mechanism that could allow an attacker to establish a malicious connection to the OVN database. This occurs due to the implementation of custom peer-certificate verification logic, which does not properly anchor trust in the configured CA certificate. The result is that a self-signed certificate chain presented by an attacker could be accepted as valid, undermining the CA-based trust model for database connections. This vulnerability allows for potential endpoint impersonation, especially in OVN-enabled deployments within compromised network environments. It is critical to upgrade to version 7.0.0 or later to mitigate this issue.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-c83...
x_refsource_CONFIRM
https://github.com/lxc/incus/blob/v6.22.0/internal/server...
x_refsource_MISC
https://github.com/lxc/incus/blob/v6.22.0/internal/server...
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.