CVE-2026-41685

Name of the Vulnerable Software and Affected Versions Incus versions prior to 7.0.0

Description Authenticated users can cause a denial of service by uploading large amounts of data, which may exhaust the disk space of the Incus server and potentially crash the host system. This occurs because multiple binary import paths accept application/octet-stream requests and stream the HTTP request body directly into temporary files on the host without a request-size limit. The daemon uses direct io.Copy operations to write attacker-controlled streams into host storage before any validation or parsing takes place.

This issue affects the following flows:

The impact is reduced for users utilizing storage.images volume and storage.backups volume, as uploads are stored on those specific volumes rather than the host filesystem, which is the default configuration in IncusOS.

Recommendations Update to version 7.0.0.