CVE-2026-41648: Incus has Unbounded YAML Metadata Decode via Parsing

May 4, 2026 (updated May 8, 2026)

User provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory.

References

github.com/advisories/GHSA-67wx-r9xr-x75x
github.com/lxc/incus
github.com/lxc/incus/releases/tag/v7.0.0
github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75x
nvd.nist.gov/vuln/detail/CVE-2026-41648

Code Behaviors & Features

Detect and mitigate CVE-2026-41648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →