CVE-2026-41684

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description An authenticated user with permissions to import instance backups can crash the Incus daemon using a specially crafted backup archive. The issue occurs because the backup.GetInfo() function trusts the inline backup/index.yaml configuration and only parses the legacy backup/container/backup.yaml file if the initial configuration is null. A malicious archive can contain a valid inline configuration to pass initial checks but include a malformed legacy backup.yaml file that omits the container section.

When the archive is extracted, the ParseConfigYamlFile() function accepts the YAML document without a container section. Subsequently, functions such as backup.UpdateInstanceConfig() and internalImportFromBackup() attempt to dereference the .Container variable without checking if it is null, leading to a nil-pointer dereference and a system crash during the restore path.

Recommendations Update to version 7.0.0.