Vulnerability in Incus Virtual Machine Manager Affects Inline Backup Configurations
CVE-2026-41684

6.5MEDIUM

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41684?

The Incus system container and virtual machine manager has a vulnerability in its handling of backup configurations prior to version 7.0.0. When an inline configuration file is present, the backup.GetInfo() function trusts this configuration without adequately validating it. Consequently, a crafted backup archive can include a valid inline configuration while simultaneously containing a malformed legacy configuration. This flaw arises during the restoration process, where the system may crash due to the legacy backup's missing container section. The vulnerability allows authenticated users with permissions to import backups to potentially disrupt the Incus daemon if they exploit this flaw with specially crafted backup archives. The issue has been addressed in version 7.0.0, ensuring that validation checks are properly enforced.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-x5r...

x_refsource_CONFIRM

https://github.com/lxc/incus/releases/tag/v7.0.0

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41684 Data

JSON

Lxc

What is CVE-2026-41684?

Affected Version(s)

References

CVSS V3.1

Timeline