CVE-2026-40195 Overview
CVE-2026-40195 is a null pointer dereference vulnerability in Incus, an open-source system container and virtual machine manager maintained by the LXC project. The flaw resides in the storage bucket import logic, where the daemon parses an index.yaml file from an imported backup archive without validating that the configuration object was initialized. An authenticated user with access to the storage bucket feature can submit a malformed archive that omits the config block, triggering a nil-pointer dereference and crashing the Incus daemon. Repeated exploitation keeps Incus offline and produces a sustained denial of service. The issue is fixed in Incus version 7.0.0.
Critical Impact
An authenticated attacker can repeatedly crash the Incus daemon by importing a crafted storage bucket archive, denying service to all containers and virtual machines managed by the host.
Affected Products
- Incus system container and virtual machine manager
- All Incus releases prior to version 7.0.0
- Deployments exposing storage bucket import functionality to non-administrative users
Discovery Timeline
- 2026-05-06 - CVE CVE-2026-40195 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40195
Vulnerability Analysis
The vulnerability is classified under [CWE-476] Null Pointer Dereference. Incus exposes a storage bucket import operation that consumes a backup archive containing metadata in an index.yaml file. During import, the daemon unmarshals this YAML into a backup configuration structure and accesses nested members of the parsed object before validating that the structure is complete.
When an attacker submits an archive whose index.yaml omits the config block, the configuration field remains nil. The daemon dereferences this nil pointer while reading bucket metadata, causing the Go runtime to panic and terminate the Incus process. Because Incus runs as a long-lived daemon that supervises containers and virtual machines, a panic stops orchestration, API access, and lifecycle operations until an operator restarts the service.
Root Cause
The root cause is missing input validation in the backup metadata handling routine. The import path trusts the structure of attacker-supplied YAML and does not check whether required substructures are present before dereferencing them. Defensive nil checks on the parsed configuration object are absent in versions before 7.0.0.
Attack Vector
Exploitation requires network access to the Incus API and authenticated permissions to use the storage bucket feature. The attacker crafts a backup archive containing an index.yaml file that intentionally omits the top-level config mapping. Submitting the archive through the bucket import endpoint triggers the dereference. Repeated submissions after each daemon restart sustain the denial of service condition.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-gc7j-g665-rxr9 for vendor technical details.
Detection Methods for CVE-2026-40195
Indicators of Compromise
- Unexpected Incus daemon crashes or panic stack traces referencing storage bucket or backup configuration code paths.
- API audit log entries showing storage bucket import requests from non-administrative accounts immediately preceding daemon termination.
- Repeated systemd or service-manager restarts of the incus or incusd process within short time windows.
Detection Strategies
- Monitor Incus daemon logs for Go runtime panic messages and nil pointer dereference traces during bucket import operations.
- Correlate authenticated API calls to the storage bucket import endpoint with subsequent process exits to flag exploitation attempts.
- Alert on import requests containing index.yaml payloads that lack a config key after parsing at an inspection proxy.
Monitoring Recommendations
- Track the rate of Incus service restarts per host and alert when restarts exceed normal baselines.
- Audit the user accounts permitted to invoke storage bucket operations and review their API activity for anomalies.
- Forward Incus daemon logs and API access logs to a centralized SIEM for retention and correlation.
How to Mitigate CVE-2026-40195
Immediate Actions Required
- Upgrade all Incus installations to version 7.0.0 or later, which contains the validation fix.
- Restrict storage bucket feature permissions to trusted administrative accounts until patching is complete.
- Review existing API tokens and certificates to ensure only authorized users can reach the bucket import endpoint.
Patch Information
The vulnerability is fixed in Incus version 7.0.0. Patch details and the upstream commit are referenced in the GitHub Security Advisory GHSA-gc7j-g665-rxr9. Operators running distribution-packaged Incus should apply the corresponding distribution update once available.
Workarounds
- Remove the storage bucket permission from non-administrative user roles in the Incus authorization configuration.
- Place the Incus API behind a reverse proxy that inspects and rejects bucket import payloads with malformed index.yaml content.
- Disable storage bucket import functionality entirely on hosts that do not require it.
# Verify current Incus version and upgrade
incus --version
# Example: upgrade via package manager (Debian/Ubuntu)
sudo apt update && sudo apt install --only-upgrade incus
# Confirm fixed version is installed
incus --version # expect 7.0.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
