CVE-2026-40195: Incus has a Nil-Pointer Dereference Panic via Bucket Metadata

May 4, 2026 (updated May 8, 2026)

Missing validation logic in the storage bucket import logic allows an authenticated user with access to Incus’ storage bucket feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.

References

github.com/advisories/GHSA-gc7j-g665-rxr9
github.com/lxc/incus
github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9
nvd.nist.gov/vuln/detail/CVE-2026-40195

Code Behaviors & Features

Detect and mitigate CVE-2026-40195 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →