CVE-2026-40197 Overview
CVE-2026-40197 is a null pointer dereference vulnerability [CWE-476] in Incus, an open-source system container and virtual machine manager maintained by the LXC project. The flaw resides in the custom volume backup import subsystem of the Incus daemon. An authenticated user with access to the storage volume feature can supply a crafted backup archive containing a null entry in the volume_snapshots array. Processing the malicious archive triggers a nil-pointer dereference, terminating the Incus daemon. Repeated exploitation keeps Incus offline, producing a sustained denial of service on the affected node. The issue is fixed in Incus 7.0.0.
Critical Impact
An authenticated attacker can crash the Incus daemon repeatedly by importing a backup archive with a null volume_snapshots entry, causing denial of service on the host node.
Affected Products
- Incus system container and virtual machine manager
- All Incus versions prior to 7.0.0
- Hosts exposing the storage volume import feature to authenticated users
Discovery Timeline
- 2026-05-06 - CVE-2026-40197 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40197
Vulnerability Analysis
The vulnerability lives inside the custom volume backup import subsystem of the Incus daemon. During import, the daemon processes an index.yaml file embedded in the backup archive and unmarshals its contents using a YAML deserializer. The snapshot import loop iterates over entries in srcBackup.Config.VolumeSnapshots and immediately dereferences fields including Name, Config, Description, CreatedAt, and ExpiresAt on each element. The loop assumes every slice element is initialized and skips a presence check on the pointer itself.
Because the YAML unmarshaler accepts explicit null array elements from the attacker-controlled index.yaml and converts them into nil pointers inside the slice, the first dereference panics. The Go runtime terminates the daemon process, taking down management of every container and virtual machine on the affected node.
Root Cause
The root cause is missing input validation on deserialized slice elements [CWE-476]. The import code trusts that YAML-derived pointers are non-nil before accessing their fields. No guard checks the snapshot pointer against nil before reading its members, so a single null array entry collapses the daemon.
Attack Vector
An authenticated user with permission to use the storage volume feature uploads a crafted custom volume backup archive. The archive contains an index.yaml whose volume_snapshots array includes an explicit null entry, for example a YAML element rendered as ~ or null. When the daemon imports the archive, the snapshot loop dereferences the nil pointer and panics. Re-submitting the archive after each restart maintains a persistent denial-of-service condition.
The vulnerability requires authentication and network reachability to the Incus API but no user interaction. No verified exploit code is currently public. See the GitHub Security Advisory GHSA-r7w7-mmxr-47r9 for vendor technical details.
Detection Methods for CVE-2026-40197
Indicators of Compromise
- Unexpected Incus daemon crashes or panics in journalctl -u incus immediately following a custom volume backup import API call
- Go runtime panic stack traces referencing the volume snapshot import loop and a nil pointer dereference
- Repeated incus storage volume import requests from the same authenticated principal preceding daemon restarts
Detection Strategies
- Monitor Incus daemon process lifecycle and alert when the service restarts in close proximity to storage volume import API activity
- Inspect uploaded backup archives for index.yaml files containing null entries inside the volume_snapshots array before import
- Correlate authenticated API calls to /1.0/storage-pools/<pool>/volumes/custom with subsequent daemon termination events
Monitoring Recommendations
- Forward Incus systemd journal logs and audit events to a centralized log platform for crash pattern analysis
- Track per-user counts of storage volume import operations and flag anomalous spikes from low-privileged accounts
- Alert on availability gaps for containers and virtual machines hosted on Incus nodes that coincide with import activity
How to Mitigate CVE-2026-40197
Immediate Actions Required
- Upgrade all Incus installations to version 7.0.0 or later, which contains the validation fix
- Audit accounts with the storage volume permission and revoke access for users that do not require import capability
- Review recent storage volume import activity in audit logs for crafted archives that produced daemon restarts
Patch Information
The maintainers fixed the issue in Incus 7.0.0. The patch validates each element in srcBackup.Config.VolumeSnapshots before dereferencing its fields, rejecting backup archives that contain null snapshot entries. Refer to the GitHub Security Advisory GHSA-r7w7-mmxr-47r9 for commit references and upgrade guidance.
Workarounds
- Restrict the storage volume import feature to trusted administrative accounts using Incus role-based access control until the upgrade is applied
- Place the Incus API behind a network policy that limits access to operator workstations and management subnets
- Validate backup archive contents in a staging environment before importing into production nodes
# Upgrade Incus on Debian/Ubuntu-based hosts
sudo apt update
sudo apt install --only-upgrade incus
incus --version # Confirm version is 7.0.0 or later
# Verify daemon health after upgrade
systemctl status incus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
