CVE-2026-40251: Incus Vulnerable to Panic via Snapshot Bounds Check

May 4, 2026 (updated May 8, 2026)

Missing validation logic in the storage volume import logic allows an authenticated user with access to Incus’ storage volume feature to cause the Incus daemon to crash. Repeated use of this issue can be used to keep Incus offline causing a denial of service.

References

github.com/advisories/GHSA-4m88-wxj4-9qj6
github.com/lxc/incus
github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go
github.com/lxc/incus/security/advisories/GHSA-4m88-wxj4-9qj6
nvd.nist.gov/vuln/detail/CVE-2026-40251

Code Behaviors & Features

Detect and mitigate CVE-2026-40251 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →