CVE-2026-33743

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0

Description Incus, a system container and virtual machine manager, contains a flaw where a specially crafted storage bucket backup can be used by a user with access to the storage bucket feature to crash the Incus daemon. Repeated exploitation of this issue can lead to a denial of service of the control plane API. This does not affect running containers or virtual machines. The issue is due to an unchecked string slicing vulnerability in the S3 transfer manager, specifically during S3 restore operations. The code fails to validate header names before slicing strings, and a malicious archive containing a header name shorter than expected can trigger a slice-bounds panic, terminating the daemon. The vulnerable code is located in the UploadAllFiles function within the internal/server/storage/s3/transfer manager.go file.

Recommendations Update Incus to version 6.23.0 or later.