CVE-2026-40251 Overview
CVE-2026-40251 affects Incus, an open source system container and virtual machine manager maintained by the LXC project. The vulnerability resides in the storage volume import logic of versions prior to 7.0.0. Missing validation in the backup restore subsystem allows an authenticated user with storage volume access to crash the Incus daemon by submitting a crafted backup archive. The same flawed indexing pattern also exists in the migration code path. Repeated exploitation keeps the daemon offline, producing a sustained denial of service condition against Incus-managed workloads. The issue is tracked under [CWE-129] Improper Validation of Array Index and is fixed in Incus 7.0.0.
Critical Impact
An authenticated attacker with storage volume privileges can crash the Incus daemon on demand by submitting a tampered backup archive, taking container and VM management offline.
Affected Products
- Incus system container and virtual machine manager versions before 7.0.0
- Incus backup restore subsystem in internal/server/storage/backend.go
- Incus migration path using the same snapshot indexing pattern
Discovery Timeline
- 2026-05-06 - CVE-2026-40251 published to the National Vulnerability Database
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40251
Vulnerability Analysis
The vulnerability is an out-of-bounds read panic triggered during backup restoration of storage volumes. When Incus iterates through physical snapshot directories included in a backup archive, the loop uses each iteration index i to fetch the matching metadata entry from the parsed Config.Snapshots and Config.VolumeSnapshots slices. The guard condition len(slice) >= i-1 does not correctly bound the access. The check can evaluate to true even when slice[i] is past the end of the slice, producing a runtime panic in the Go process backing the Incus daemon. The same incorrect bounds check appears in the migration code path, expanding the attack surface beyond backup imports.
Root Cause
The root cause is a logic error in the bounds check expression itself. The intent of the comparison was to confirm that index i is addressable, but len(slice) >= i-1 permits access when len(slice) equals i-1 or i, both of which place slice[i] out of bounds. This off-by-more-than-one condition violates the array index validation requirements described in [CWE-129].
Attack Vector
An authenticated user with permission to import storage volumes submits a backup archive that contains physical snapshot directories on disk while supplying an index.yaml whose snapshot metadata array is empty or truncated. During restoration, the loop iterates over the on-disk snapshot directories and indexes into the shorter metadata slice. The faulty guard allows the read past the slice boundary, the Go runtime raises a panic, and the Incus daemon terminates. Repeating the request after each restart sustains a denial of service against the host.
No verified public exploit code is available. See the Incus GitHub Security Advisory GHSA-4m88-wxj4-9qj6 and the affected source in internal/server/storage/backend.go for technical details.
Detection Methods for CVE-2026-40251
Indicators of Compromise
- Unexpected Incus daemon crashes with Go runtime panic stack traces referencing slice index out of range in backend.go
- Storage volume import or migration API calls immediately followed by daemon termination and systemd restart events
- Backup archives whose index.yaml snapshot metadata array length is inconsistent with the number of snapshot directories present in the archive
Detection Strategies
- Monitor Incus daemon process exits and correlate with preceding incus storage volume import or incus move API requests from authenticated users
- Inspect backup archive contents server-side before restore, comparing the count of physical snapshot directories against the length of Config.Snapshots and Config.VolumeSnapshots in index.yaml
- Alert on repeated daemon restarts within short windows, which is the operational signature of the denial of service loop
Monitoring Recommendations
- Forward Incus daemon logs and systemd unit status to a central log pipeline and trigger on panic strings combined with storage subsystem stack frames
- Track API audit events for storage volume import, restore, and migration operations and tie them to user identity for post-incident review
- Baseline normal restart frequency for the Incus service and alert on deviations indicative of repeated crash exploitation
How to Mitigate CVE-2026-40251
Immediate Actions Required
- Upgrade Incus to version 7.0.0 or later on every host running the daemon
- Restrict the storage volume import and migration permissions to trusted operators until the upgrade is complete
- Audit recent backup restore and migration activity for crash patterns matching this vulnerability
Patch Information
The vulnerability is fixed in Incus 7.0.0. The fix corrects the bounds check used when indexing snapshot metadata during backup restore and migration. Refer to the Incus GitHub Security Advisory GHSA-4m88-wxj4-9qj6 for the patch commit and release notes.
Workarounds
- Revoke storage volume feature access for any account that does not strictly require backup import or migration capability
- Validate backup archives out-of-band before submitting them to Incus, rejecting any archive where snapshot directory count does not match index.yaml metadata
- Place the Incus API behind network controls that limit which authenticated clients can reach storage import endpoints
# Upgrade Incus to the patched release on Debian/Ubuntu-based systems
sudo apt update
sudo apt install --only-upgrade incus
incus --version # confirm 7.0.0 or later
# Restrict storage volume permissions for non-administrative groups
incus auth group permission remove untrusted-ops storage_volume can_manage_backups
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
