CVE-2026-41648

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Incus is a system container and virtual machine manager. An authenticated user can provide a specially crafted image or backup tarball containing a very large YAML document. Because the software unpacks these tarballs and parses YAML files without size restrictions, the document can be loaded into memory, potentially causing the server to run out of memory and degrade service. This occurs because the getImageMetadata() and backup.GetInfo() functions call the YAML decoder directly on the tar reader without limiting the bytes consumed or checking the hdr.Size of the tar entry. While the system mitigates alias and anchor bombs, large flat YAML documents can still cause memory consumption approximately 5x to 6x the input size.

Recommendations Update to version 7.0.0.