CVE-2026-40243: Incus has an OVN TLS Verification that Accepts Peer-Supplied Roots
(updated )
Broken TLS validation logic in the OVN database connection logic could allow connections to an attacker’s OVN database.
OVN uses mTLS for authentication, so the attacker cannot actually perform a full man in the middle attack as they won’t be able to authenticated with the real OVN deployment. At best they can provide a replacement empty database which Incus will briefly interact with before hitting errors due to the rest of the OVN stack not reacting to the committed changes.
Also worth noting that the OVN control plane is typically run on the same servers that run Incus, there is typically no routing involved between an Incus server and the OVN control plane, making such an attack extremely difficult to pull off in the first place.
References
- github.com/advisories/GHSA-c839-4qxr-j4x3
- github.com/lxc/incus
- github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icnb.go
- github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icsb.go
- github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_nb.go
- github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_sb.go
- github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3
- nvd.nist.gov/vuln/detail/CVE-2026-40243
Code Behaviors & Features
Detect and mitigate CVE-2026-40243 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →