Denial of Service Vulnerability in Incus System Container Manager
CVE-2026-41685

4.3MEDIUM

Key Information:

Vendor: Lxc
Status: Incus
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-41685?

The Incus system container and virtual machine manager has a vulnerability that allows authenticated users to upload excessive amounts of data. This can result in the Incus server exhausting its disk space, and potentially cause a denial of service condition on the host system. However, users leveraging the storage.images_volume and storage.backups_volume features are less affected, as their uploads are directed to these dedicated volumes rather than the host filesystem. The issue has been addressed in version 7.0.0, ensuring better management of large uploads.

Affected Version(s)

incus < 7.0.0

References

https://github.com/lxc/incus/security/advisories/GHSA-98v...

x_refsource_CONFIRM

https://github.com/lxc/incus/releases/tag/v7.0.0

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41685 Data

JSON

Lxc

What is CVE-2026-41685?

Affected Version(s)

References

CVSS V3.1

Timeline