Skip to main content

Incus CVE-2026-41647

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-04 https://github.com/lxc/incus GHSA-fwj8-62r8-8p8m
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 20:32 vuln.today
Analysis Generated
May 04, 2026 - 20:32 vuln.today

DescriptionGitHub Advisory

Summary

Missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file.

Details

It was found that TransferManager.UploadAllFiles iterates over tar entries but only checks for io.EOF from tr.Next(). When tr.Next() returns a non-EOF error, such as unexpected EOF from a truncated archive, the header hdr is nil and the code continues to access hdr.Name, causing a nil-pointer dereference that panics the daemon.

This may allow the Incus daemon to be crashed during S3 bucket restore if a truncated or corrupted backup archive is provided. A panic can occur when a malformed archive produces a non-EOF tar read error after the first entry. Any caller of UploadAllFiles that processes attacker-controlled archive content may be affected.

Affected File: https://github.com/lxc/incus/blob/v6.22.0/…server/storage/s3/transfer_manager.go#L127

The tar-iteration loop only checks for EOF:

Affected Code:

for {
    hdr, err := tr.Next()
    if err == io.EOF {
        break // End of archive.
    }

    // Skip index.yaml file
    if hdr.Name == "backup/index.yaml" {

When tr.Next() returns a non-EOF error, hdr is nil. The code does not check for this case and immediately dereferences hdr.Name.

This was confirmed as follows:

Command:

go test ./test/fuzz -run='FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar' -count=1 -v

Output:

=== RUN   FuzzS3BucketUploadTarParsing
=== RUN   FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar
   s3_bucket_upload_fuzz_test.go:82: UploadAllFiles panicked: runtime error: invalid memory address
       or nil pointer dereference
--- FAIL: FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar (0.00s)
FAIL

It is recommended to add a non-EOF error check after tr.Next().

Proposed Fix:

hdr, err := tr.Next()
if err == io.EOF {
    break
}

if err != nil {
    return fmt.Errorf("Error reading backup archive: %w", err)
}

A patch is available at https://github.com/lxc/incus/releases/tag/v7.0.0.

Credits

This issue was discovered and reported by the team at 7asecurity (https://7asecurity.com/)

AnalysisAI

Nil-pointer dereference in Incus daemon S3 storage bucket import allows authenticated users to crash the daemon by uploading a truncated or corrupted tar backup file. The TransferManager.UploadAllFiles function fails to handle non-EOF errors from tar parsing, causing a panic when hdr is nil. Vendor-released patch available in v7.0.0.

Technical ContextAI

The vulnerability exists in the S3 bucket restore functionality of Incus, specifically in the TransferManager.UploadAllFiles method located in internal/server/storage/s3/transfer_manager.go. The tar archive parsing loop uses Go's tar.Reader.Next() method to iterate through tar entries but only checks for io.EOF error conditions. When tr.Next() encounters a non-EOF error (such as unexpected EOF from a truncated or corrupted archive), the returned header pointer hdr is nil. The code then immediately dereferences hdr.Name without validating hdr is not nil, triggering a runtime panic. This is a missing error handling bug (CWE-476: Null Pointer Dereference) in the error path of tar archive processing.

RemediationAI

Vendor-released patch: Incus v7.0.0 or later. Users running vulnerable versions should upgrade immediately to v7.0.0 or any subsequent release available at https://github.com/lxc/incus/releases/tag/v7.0.0. The fix implements proper non-EOF error handling in TransferManager.UploadAllFiles by checking if err != nil after each tr.Next() call before dereferencing the header. If immediate patching is not feasible, restrict S3 bucket import operations to trusted administrators only and monitor Incus daemon logs for panic events. Note that this vulnerability requires authenticated access, so network isolation of Incus control plane access provides defense-in-depth but is not a substitute for patching.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-41647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy