Skip to main content

Red Hat CVE-2026-33743

| EUVDEUVD-2026-16464 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-26 GitHub_M GHSA-vg76-xmhg-j5x3
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 23:01 euvd
EUVD-2026-16464
Analysis Generated
Mar 26, 2026 - 23:01 vuln.today
CVE Published
Mar 26, 2026 - 22:40 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.

AnalysisAI

Denial of service in Incus prior to version 6.23.0 allows authenticated users with storage bucket access to crash the Incus daemon via specially crafted storage bucket backups, enabling repeated attacks to render the control plane API unavailable while leaving running workloads unaffected. The vulnerability requires local or remote authentication to the Incus system and has a CVSS score of 6.5 (medium severity) with high availability impact. Vendor-released patch available in version 6.23.0.

Technical ContextAI

Incus (cpe:2.3:a:lxc:incus) is a system container and virtual machine manager that provides storage bucket functionality for managing container and VM data. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating improper handling of resource allocation during the processing of storage bucket backup files. When a maliciously crafted backup is parsed or restored, the daemon fails to properly validate or limit resource consumption, resulting in uncontrolled memory or CPU usage that crashes the process. The attack vector is network-based with low complexity, requiring only valid Incus credentials to exploit.

RemediationAI

Upgrade Incus to version 6.23.0 or later immediately (see vendor advisory at https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3). Until patching is feasible, restrict storage bucket access to trusted users, implement network-level rate limiting on backup restore operations to slow repeated attacks, and configure monitoring and alerting on Incus daemon crashes to detect exploitation attempts. Consider temporarily disabling storage bucket features if not actively required.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy