CVE-2026-41647

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Missing error handling in the TransferManager.UploadAllFiles() function allows an authenticated user to cause a daemon crash. The issue occurs during the import of a truncated or corrupted storage bucket backup archive. Specifically, the system iterates over tar entries but only checks for io.EOF from tr.Next(). If a non-EOF error occurs, such as an unexpected EOF from a truncated archive, the header hdr becomes nil, leading to a nil-pointer dereference when the code attempts to access hdr.Name, which triggers a daemon panic.

Recommendations Update to version 7.0.0.