CVE-2026-40195

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Missing validation logic in the storage bucket import process allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The issue occurs in the backup metadata handling logic when the daemon processes the index.yaml file from an imported archive. Specifically, the daemon accesses members of the parsed backup configuration without verifying that the configuration object was initialized. A malformed index.yaml that omits the config block triggers a nil-pointer dereference—a runtime error in Go that occurs when attempting to access memory through a pointer that is not pointing to a valid object—within the CreateBucketFromBackup() function. This results in a daemon crash and can be repeatedly exploited to cause a denial of service, keeping Incus offline.

Recommendations Update to version 7.0.0.