CVE-2026-40251

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem and the migration path contain an out-of-bounds panic caused by an invalid bounds check when indexing snapshot metadata arrays. Specifically, when iterating through physical snapshots in a backup archive, the loop uses an index to look up metadata in the Config.Snapshots and Config.VolumeSnapshots slices. The guard condition len(slice) >= i-1 is incorrect, allowing the subsequent slice[i] access to be out of bounds, which triggers a runtime panic.

An attacker can exploit this by submitting a backup archive containing physical snapshot directories while providing a tampered index.yaml file with an empty or truncated snapshot metadata array. This causes the daemon to index beyond the end of the metadata slice and crash, leading to a denial of service.

Recommendations Update to version 7.0.0.