CVE-2026-40197: Incus has a Nil-Pointer Dereference via Custom Volume Import

May 4, 2026 (updated May 8, 2026)

Missing validation logic in the storage volume import logic allows an authenticated user with access to Incus’ storage volume feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.

References

github.com/advisories/GHSA-r7w7-mmxr-47r9
github.com/lxc/incus
github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9
nvd.nist.gov/vuln/detail/CVE-2026-40197

Code Behaviors & Features

Detect and mitigate CVE-2026-40197 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →