CVE-2026-41648
Last modified
CVE-2026-41648 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. EPSS estimates a 0.27% chance of exploitation in the next 30 days.
Description
Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxcontainers | Incus | < 7.0.0 |
References
- https://github.com/lxc/incus/releases/tag/v7.0.0Patch, Product
- https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75xExploit, Mitigation, Vendor Advisory
- https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75xExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-41648?
How severe is CVE-2026-41648?
How do I fix CVE-2026-41648?
Are you affected by CVE-2026-41648?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST