CVE-2026-41684

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the restore process when handling a crafted backup archive containing a valid backup/index.yaml and a malformed legacy backup.yaml file that omits the container section. An attacker can cause the daemon to...

GHSA-X5R6-JR56-89PV Incus has Nil Dereferences on Restore via Malformed YAML

Summary Details It was found that backup.GetInfo trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import...

PT-2026-37148

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0 Description An authenticated user with permissions to import instance backups can crash the Incus daemon using a specially crafted backup archive. The issue occurs because the backup.GetInfo function trusts the...