Home / Vulnerability Intelligence / CVE-2026-40251

CVE-2026-40251 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: May 7, 2026

Incus - Denial of Service

Published: May 6, 2026Updated: May 7, 2026PoC AvailableRemote Exploitable

Overview

Incus < 7.0.0 contains a denial of service caused by improper bounds checking in storage volume import and backup restore logic, letting authenticated users crash the daemon by submitting crafted backup archives, exploit requires authenticated access to storage volume feature.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated users can crash the Incus daemon repeatedly, causing denial of service and service unavailability.

Mitigation

Update to version 7.0.0 or later.

References

https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go
https://github.com/lxc/incus/security/advisories/GHSA-4m88-wxj4-9qj6

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40251
Severity: Medium
CVSS Score: 6.5
Type: out_of_bounds_rw
Status: confirmed

CWE

CWE-129

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H