CVE-2026-41647
MEDIUMIncus: Nil-Pointer Dereference via S3 Bucket Import
Title source: cnaDescription
Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m
X_Refsource_Misc x_refsource_misc
https://github.com/lxc/incus/releases/tag/v7.0.0
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
31.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (3)
linuxcontainers/incus
< 7.0.0
lxc/incus
0 - 6.23.0Go
lxc/incus
< 7.0.0
Published
May 07, 2026
Tracked Since
May 07, 2026