Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
AnalysisAI
Denial of service in Incus prior to version 6.23.0 allows authenticated users with storage bucket access to crash the Incus daemon via specially crafted storage bucket backups, enabling repeated attacks to render the control plane API unavailable while leaving running workloads unaffected. The vulnerability requires local or remote authentication to the Incus system and has a CVSS score of 6.5 (medium severity) with high availability impact. Vendor-released patch available in version 6.23.0.
Technical ContextAI
Incus (cpe:2.3:a:lxc:incus) is a system container and virtual machine manager that provides storage bucket functionality for managing container and VM data. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating improper handling of resource allocation during the processing of storage bucket backup files. When a maliciously crafted backup is parsed or restored, the daemon fails to properly validate or limit resource consumption, resulting in uncontrolled memory or CPU usage that crashes the process. The attack vector is network-based with low complexity, requiring only valid Incus credentials to exploit.
RemediationAI
Upgrade Incus to version 6.23.0 or later immediately (see vendor advisory at https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3). Until patching is feasible, restrict storage bucket access to trusted users, implement network-level rate limiting on backup restore operations to slow repeated attacks, and configure monitoring and alerting on Incus daemon crashes to detect exploitation attempts. Consider temporarily disabling storage bucket features if not actively required.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16464
GHSA-vg76-xmhg-j5x3