CVE-2026-33743: Incus Storage Bucket DoS Vulnerability

CVE-2026-33743 Overview

CVE-2026-33743 is a denial of service vulnerability affecting Incus, an open-source system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be exploited by an authenticated user with access to Incus' storage bucket feature to crash the Incus daemon. This vulnerability allows attackers to repeatedly crash the daemon, effectively keeping the server offline and causing a denial of service of the control plane API.

Critical Impact

Authenticated attackers can crash the Incus daemon through malicious storage bucket backups, causing denial of service to the control plane API. While running workloads remain unaffected, management operations become unavailable.

Affected Products

• Incus versions prior to 6.23.0
• Systems with storage bucket feature enabled
• Environments where users have storage bucket access permissions

Discovery Timeline

• 2026-03-26 - CVE CVE-2026-33743 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33743

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw exists in how the Incus daemon processes storage bucket backup files. When a user with storage bucket access submits a specially crafted backup file, the daemon fails to properly validate or limit resource allocation during processing, leading to a crash condition.

The attack is network-accessible and requires low privileges (authenticated user with storage bucket access), making it relatively easy to exploit once an attacker has legitimate access to the system. While the vulnerability does not impact confidentiality or integrity, it has a high impact on availability of the control plane.

Importantly, this vulnerability only affects the Incus daemon's control plane API. Existing containers and virtual machines will continue to operate normally even when the daemon is crashed, limiting the blast radius to management operations rather than running workloads.

Root Cause

The root cause of CVE-2026-33743 lies in improper resource allocation handling (CWE-770) within the storage bucket backup processing functionality. The Incus daemon does not implement adequate limits or throttling when processing backup data, allowing malformed input to exhaust resources or trigger an unhandled exception that terminates the daemon process.

Attack Vector

The attack is conducted over the network by an authenticated user with access to the storage bucket feature. The attacker crafts a malicious storage bucket backup file designed to trigger the crash condition when processed by the Incus daemon. By repeatedly submitting these malicious backups, an attacker can keep the daemon offline indefinitely, effectively denying service to all management API operations.

The attack requires:

1. Valid authentication to the Incus system
2. Access permissions to the storage bucket feature
3. Ability to submit storage bucket backup files

For technical implementation details, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33743

Indicators of Compromise

• Unexpected Incus daemon crashes or restarts in system logs
• Repeated daemon termination events in close succession
• Error messages related to storage bucket backup processing
• Unusual storage bucket backup submission activity from specific users

Detection Strategies

• Monitor system logs for Incus daemon crash events and correlate with storage bucket operations
• Implement alerting on repeated daemon restart patterns that may indicate active exploitation
• Review audit logs for storage bucket backup submissions, particularly from recently created or suspicious accounts
• Deploy endpoint detection to identify abnormal process termination patterns

Monitoring Recommendations

• Enable detailed logging for storage bucket operations in Incus
• Configure automated alerts when the Incus daemon process terminates unexpectedly
• Monitor API availability and response times to detect degraded service conditions
• Implement log aggregation to correlate backup submission events with daemon crashes

How to Mitigate CVE-2026-33743

Immediate Actions Required

• Upgrade Incus to version 6.23.0 or later immediately
• Review and audit user access to the storage bucket feature, limiting permissions where possible
• Monitor for daemon crashes and investigate any suspicious activity
• Consider temporarily disabling storage bucket backup functionality if patching is delayed

Patch Information

The vulnerability has been fixed in Incus version 6.23.0. Organizations should update to this version or later to remediate the vulnerability. The patch addresses the resource allocation issue in the storage bucket backup processing code.

For detailed patch information, see the GitHub Security Advisory.

Workarounds

• Restrict storage bucket feature access to only trusted administrators until patching is complete
• Implement network segmentation to limit who can access the Incus API
• Deploy rate limiting on API endpoints to slow down repeated attack attempts
• Enable process monitoring with automatic restart to reduce downtime during attacks

# Example: Restrict storage bucket access in Incus
# Review current project permissions
incus project show default

# Limit storage bucket feature to specific users/groups
# Consult Incus documentation for granular permission configuration