Out-of-Bounds Vulnerability in Incus System Container and VM Manager
CVE-2026-40251

7.1HIGH

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-40251?

Incus, a system container and virtual machine manager, is impacted by an out-of-bounds access vulnerability present in versions prior to 7.0.0. This vulnerability arises from missing validation logic in the storage volume import feature, allowing an authenticated user to trigger crashes in the Incus daemon. Specifically, the backup restore subsystem is susceptible to an out-of-bounds panic when indexing snapshot metadata arrays due to incorrect bounds checking. An attacker can exploit this issue by submitting a backup archive containing tampered metadata, which can lead to the daemon being unable to recover from the invalid access. Consequently, this can result in a denial of service, preventing the normal operation of Incus. The vulnerability has been addressed in version 7.0.0.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-4m8...

x_refsource_CONFIRM

https://github.com/lxc/incus/blob/v6.22.0/internal/server...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40251 Data

JSON

Lxc

What is CVE-2026-40251?

Affected Version(s)

References

CVSS V4

Timeline