CVE-2026-33711

Summary: Incus exposes a local-privilege/escalation risk via its API that returns VM screenshots. The issue arises from using a temporary file in QEMU to hold the screenshot, with versions before 6.23.0 writing to predictable /tmp paths. An attacker with local access can pre-create symlinks to ma...

CVE-2025-64507

CVE-2025-64507 affects Incus/LXD: in versions prior to 6.0.6 and 6.19.0 an unprivileged user who can access a container and a host with a custom storage volume that has security.shifted=true may create a setuid binary inside the container and execute it on the host to gain root. The issue require...

CVE-2026-33542

CVE-2026-33542 affects Incus, a system container and VM manager. Prior to version 6.23.0, there is a lack of validation of the image fingerprint when downloading from simplestreams image servers, which can lead to image cache poisoning and, under very narrow circumstances, exposure of other tenan...

CVE-2026-40197

Incus CVE-2026-40197 describes a nil-pointer dereference in the custom volume import path. During import, the code iterates over srcBackup.Config.VolumeSnapshots and dereferences each element without validating it, allowing an attacker-controlled null entry in volume_snapshots to crash the daemon...

CVE-2026-41684

Summary of CVE-2026-41684 (Incus): An authenticated user who can import instance backups may crash the Incus daemon during restore when a crafted backup archive includes a valid inline backup/index.yaml but a malformed legacy backup.yaml that omits the container section. The vulnerability arises ...

CVE-2026-40243

CVE-2026-40243 describes a TLS verification flaw in Incus (OVN integration) where the OVN database client disables standard TLS verification and uses a custom VerifyPeerCertificate callback that builds trust roots from peer-supplied certificates, ignoring the configured CA pool. This allows an at...

CVE-2026-33897

Incus prior to 6.23.0 is vulnerable to arbitrary file read/write as root on the host via instance template files using pongo2 templates. The pongo2 chroot isolation feature was intended to constrain access to the instance filesystem, but the chroot mechanism is skipped by this implementation, all...

CVE-2026-40251

CVE-2026-40251 affects Incus before 7.0.0, where the backup restore path uses an incorrect guard len(slice) >= i-1 when iterating through snapshots. This can cause an out-of-bounds access on Config.Snapshots and Config.VolumeSnapshots during restore, triggered by a tampered index.yaml with an ...

CVE-2026-33898

CVE-2026-33898 affects the Incus web UI local web server. Prior to v6.23.0, the server incorrectly validates the authentication token when provided in the URL, while the cookie stores the token correctly. An attacker who can access the temporary localhost web server can gain the same access as th...

CVE-2026-40195

CVE-2026-40195 affects Incus prior to v7.0.0, causing a nil-pointer dereference in the bucket-import path during bucket restoration from a malformed index.yaml. The bug occurs in CreateBucketFromBackup when srcBackup.Config is not validated (the code accesses srcBackup.Config.Bucket and related f...

CVE-2026-41647

CVE-2026-41647 affects Incus, a system container and VM manager. The vulnerability is a nil-pointer dereference during S3 bucket backup import in the internal server/storage/s3 path when processing tar entries; if a non-EOF error is returned by tar, hdr can be nil, leading to a crash of the Incus...

CVE-2026-41685

CVE-2026-41685 affects Incus prior to 7.0.0 where authenticated users can trigger unbounded disk usage during binary import paths. The issue occurs because HTTP upload bodies are streamed into temporary host storage via io.Copy in multiple handlers (instance import, bucket backup import, volume b...

CVE-2026-33945

Incus (system container/VM manager) before version 6.23.0 allows privilege escalation via credentials to systemd in the guest. In containers, credentials are passed through a shared directory; an attacker can set a config key like systemd.credential.../../../../../../root/.bashrc, exploiting that...

CVE-2026-35527

Incus (pre-7.0.0) is vulnerable to a blind SSRF via image import preflight HEAD requests. An authenticated user can coerce the daemon to issue a host-originated HEAD request to a user-supplied URL before policy checks complete, exposing server metadata in headers (Incus-Server-Architectures, Incu...

CVE-2026-41648

Incus (system container/VM manager) before version 7.0.0 unbounded YAML decoding of metadata.yaml and backup/index.yaml from user-supplied images/backups could exhaust memory, enabling an authenticated user to trigger memory pressure or an OOM. The issue arises from decoding YAML without size lim...

CVE-2026-33743

Incus (system container/VM manager) prior to 6.23.0 is affected by a denial-of-service issue triggered by a specially crafted storage bucket backup. An authenticated user with access to Incus’ storage bucket feature can crash the Incus daemon; repeated use can keep the server offline and cause a ...