Incus Vulnerable to Panic via Snapshot Bounds Check

Summary Missing validation logic in the storage volume import logic allows an authenticated user with access to Incus' storage volume feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service. Details The backup restore...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read through improper bounds checking in the CreateInstanceFromBackup and CreateInstanceFromMigration functions. An attacker can cause the daemon to crash by submitting a crafted backup archive with physical snapshot...

Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots

Summary Broken TLS validation logic in the OVN database connection logic could allow connections to an attacker's OVN database. OVN uses mTLS for authentication, so the attacker cannot actually perform a full man in the middle attack as they won't be able to authenticated with the real OVN...

GHSA-C839-4QXR-J4X3 Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots

Summary Broken TLS validation logic in the OVN database connection logic could allow connections to an attacker's OVN database. OVN uses mTLS for authentication, so the attacker cannot actually perform a full man in the middle attack as they won't be able to authenticated with the real OVN...

PT-2026-36945

Name of the Vulnerable Software and Affected Versions Incus affected versions not specified Description A nil-pointer dereference exists in the custom volume backup import subsystem. An authenticated user with access to the storage volume feature can cause the Incus daemon to crash by importing a...

PT-2026-37138

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0 Description Incus is a system container and virtual machine manager. An authenticated user can provide a specially crafted image or backup tarball containing a very large YAML document. Because the software unpack...

PT-2026-37137

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0 Description Missing error handling in the TransferManager.UploadAllFiles function allows an authenticated user to cause a daemon crash. The issue occurs during the import of a truncated or corrupted storage bucket...

[SECURITY] [DSA 6244-1] incus security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6244-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 02, 2026 https://www.debian.org/security/faq -...

Debian dsa-6244 : golang-github-lxc-incus-dev - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6244 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6244-1 [email protected] https://www.debian.org/securit...

Linux Distros Unpatched Vulnerability : CVE-2026-40251

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an...

Linux Distros Unpatched Vulnerability : CVE-2026-35527

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a...

Linux Distros Unpatched Vulnerability : CVE-2026-40195

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an...

[BSA-132] Security Update for incus

Mathias Gibbens uploaded new packages for incus which fixed the following security problems: CVE ID : CVE-2026-34178 CVE-2026-34179 Two security issues were discovered in Incus, a system container and virtual machine manager, which could result in restriction bypass or privilege escalation. For t...

[SECURITY] Fedora 42 Update: incus-6.23-3.fc42

Container hypervisor based on LXC Incus offers a REST API to remotely manage containers over the network, using an image based work-flow and with support for live migration. This package contains the Incus daemon...

[SECURITY] Fedora 43 Update: incus-6.23-3.fc43

Container hypervisor based on LXC Incus offers a REST API to remotely manage containers over the network, using an image based work-flow and with support for live migration. This package contains the Incus daemon...

ROS-20260420-73-0045

Vulnerability in incus related to failure to take measures to neutralize special elements in the template creation mechanism. Exploitation of the vulnerability may allow an attacker to execute arbitrary code...

ROS-20260420-73-0042

Vulnerability in incus related to errors in certificate authentication procedure. The vulnerability can be exploited remotely...

ROS-20260420-73-0047

Vulnerability in incus related to character reference tracking. Exploitation of the vulnerability could allow an attacker to escalate his privileges...

ROS-20260420-73-0033

A vulnerability in Incus container management system and virtual machine manager is related to insecure privilege management. Exploitation of the vulnerability could allow an attacker to escalate privileges...

ROS-20260420-73-0046

Vulnerability in incus related to unrestricted resource allocation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...