Incus CVE-2026-41647
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file.
Details
It was found that TransferManager.UploadAllFiles iterates over tar entries but only checks for io.EOF from tr.Next(). When tr.Next() returns a non-EOF error, such as unexpected EOF from a truncated archive, the header hdr is nil and the code continues to access hdr.Name, causing a nil-pointer dereference that panics the daemon.
This may allow the Incus daemon to be crashed during S3 bucket restore if a truncated or corrupted backup archive is provided. A panic can occur when a malformed archive produces a non-EOF tar read error after the first entry. Any caller of UploadAllFiles that processes attacker-controlled archive content may be affected.
Affected File: https://github.com/lxc/incus/blob/v6.22.0/…server/storage/s3/transfer_manager.go#L127
The tar-iteration loop only checks for EOF:
Affected Code:
for {
hdr, err := tr.Next()
if err == io.EOF {
break // End of archive.
}
// Skip index.yaml file
if hdr.Name == "backup/index.yaml" {When tr.Next() returns a non-EOF error, hdr is nil. The code does not check for this case and immediately dereferences hdr.Name.
This was confirmed as follows:
Command:
go test ./test/fuzz -run='FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar' -count=1 -vOutput:
=== RUN FuzzS3BucketUploadTarParsing
=== RUN FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar
s3_bucket_upload_fuzz_test.go:82: UploadAllFiles panicked: runtime error: invalid memory address
or nil pointer dereference
--- FAIL: FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar (0.00s)
FAILIt is recommended to add a non-EOF error check after tr.Next().
Proposed Fix:
hdr, err := tr.Next()
if err == io.EOF {
break
}
if err != nil {
return fmt.Errorf("Error reading backup archive: %w", err)
}A patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.
Credits
This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)
AnalysisAI
Nil-pointer dereference in Incus daemon S3 storage bucket import allows authenticated users to crash the daemon by uploading a truncated or corrupted tar backup file. The TransferManager.UploadAllFiles function fails to handle non-EOF errors from tar parsing, causing a panic when hdr is nil. Vendor-released patch available in v7.0.0.
Technical ContextAI
The vulnerability exists in the S3 bucket restore functionality of Incus, specifically in the TransferManager.UploadAllFiles method located in internal/server/storage/s3/transfer_manager.go. The tar archive parsing loop uses Go's tar.Reader.Next() method to iterate through tar entries but only checks for io.EOF error conditions. When tr.Next() encounters a non-EOF error (such as unexpected EOF from a truncated or corrupted archive), the returned header pointer hdr is nil. The code then immediately dereferences hdr.Name without validating hdr is not nil, triggering a runtime panic. This is a missing error handling bug (CWE-476: Null Pointer Dereference) in the error path of tar archive processing.
RemediationAI
Vendor-released patch: Incus v7.0.0 or later. Users running vulnerable versions should upgrade immediately to v7.0.0 or any subsequent release available at https://github.com/lxc/incus/releases/tag/v7.0.0. The fix implements proper non-EOF error handling in TransferManager.UploadAllFiles by checking if err != nil after each tr.Next() call before dereferencing the header. If immediate patching is not feasible, restrict S3 bucket import operations to trusted administrators only and monitor Incus daemon logs for panic events. Note that this vulnerability requires authenticated access, so network isolation of Incus control plane access provides defense-in-depth but is not a substitute for patching.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fwj8-62r8-8p8m