CVE-2026-40243 Overview
CVE-2026-40243 is a TLS certificate validation vulnerability in Incus, a system container and virtual machine manager. Versions before 7.0.0 contain broken TLS validation logic in the Open Virtual Network (OVN) database connection paths. The custom peer-certificate verifier disables Go's standard TLS server verification and fails to anchor trust in the configured Certificate Authority (CA). Instead, it builds the verification root set from certificates supplied by the peer during the handshake. An attacker positioned on the management network can present a rogue self-signed chain that Incus accepts as valid. This weakness is tracked under [CWE-295: Improper Certificate Validation].
Critical Impact
An adjacent-network attacker can impersonate the OVN database endpoint and intercept management traffic in OVN-enabled Incus deployments using SSL connections.
Affected Products
- Incus versions prior to 7.0.0
- Incus deployments that use OVN-enabled networking with SSL database connections
- Incus 6.22.0 and earlier OVN client implementations (ovn_nb.go, ovn_sb.go, ovn_icnb.go, ovn_icsb.go)
Discovery Timeline
- 2026-05-06 - CVE-2026-40243 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
- Fix released in Incus version 7.0.0 per GitHub Security Advisory GHSA-c839-4qxr-j4x3
Technical Details for CVE-2026-40243
Vulnerability Analysis
Incus OVN client code establishes SSL connections to OVN northbound, southbound, and interconnect databases. The implementation disables Go's default crypto/tls server certificate verification and substitutes a custom VerifyPeerCertificate callback. The intent of this callback is to support Incus-specific certificate handling. The implementation contains a logic flaw that breaks the CA-based trust model.
The replacement verifier constructs the trust root pool from certificates that the remote peer sends during the TLS handshake. The configured CA certificate is parsed but never installed as the authoritative trust anchor. As a result, any self-signed chain the peer presents satisfies the verification logic because the peer effectively supplies its own trust root.
An attacker on the management network can impersonate the OVN database, accept Incus connections, and present arbitrary certificates. The Incus server treats the impersonated endpoint as authentic and proceeds with database operations.
Root Cause
The root cause is improper certificate validation in the OVN client TLS path. The custom verifier dynamically builds its root certificate pool from handshake-supplied certificates rather than the operator-configured CA. This converts CA-pinned validation into self-validation, defeating the purpose of mutual TLS for OVN database connections.
Attack Vector
Exploitation requires an adjacent-network position that can intercept or impersonate the OVN database endpoint, such as a compromised host on the management VLAN or an attacker controlling network infrastructure between Incus and OVN. The attacker presents a rogue self-signed certificate chain in response to the Incus TLS handshake. Incus completes the handshake and routes OVN database traffic to the attacker. Refer to the Incus OVN northbound source and southbound source for the affected verification code paths.
Detection Methods for CVE-2026-40243
Indicators of Compromise
- Unexpected certificate fingerprints presented by the OVN database endpoint that do not match the operator-configured CA-issued certificate
- New or unfamiliar TLS server certificates observed on OVN northbound (port 6641) or southbound (port 6642) connections
- OVN database connections originating from or terminating at hosts not listed in the OVN cluster inventory
Detection Strategies
- Inventory all running Incus instances and identify versions earlier than 7.0.0 using OVN networking
- Capture and compare TLS certificates served by OVN endpoints against the known CA-issued certificate set
- Audit OVN database access logs for unexpected client connections or schema operations from non-Incus sources
Monitoring Recommendations
- Continuously monitor management-network traffic for ARP spoofing, rogue DHCP, or BGP route changes that could enable man-in-the-middle positioning
- Alert on TLS handshakes to OVN database ports where the server certificate issuer does not match the configured CA
- Track Incus daemon logs for OVN connection errors, retries, or endpoint changes that may indicate interception attempts
How to Mitigate CVE-2026-40243
Immediate Actions Required
- Upgrade all Incus installations to version 7.0.0 or later, where the OVN TLS verifier correctly anchors trust in the configured CA
- Restrict the OVN management network to trusted hosts only and isolate it from general-purpose networks
- Rotate any OVN database certificates and CA material if interception is suspected
Patch Information
The vulnerability is fixed in Incus version 7.0.0. The fix corrects the VerifyPeerCertificate logic so the configured CA certificate is used as the trust anchor for OVN database TLS connections. Patch details and affected files are documented in GitHub Security Advisory GHSA-c839-4qxr-j4x3.
Workarounds
- Place OVN database traffic on a dedicated, physically or logically isolated management network segment with strict access controls
- Enforce IPsec or another authenticated transport between Incus hosts and OVN database nodes to provide an independent layer of peer authentication
- Monitor for and block unauthorized devices on the management VLAN using port security and 802.1X where supported
# Verify Incus version and upgrade
incus --version
# Upgrade to 7.0.0 or later via your package manager, for example:
sudo apt update && sudo apt install --only-upgrade incus
# Confirm fixed version
incus --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
