CVE-2026-41685: Incus is affected by unbounded binary import disk exhaustion

May 4, 2026 (updated May 8, 2026)

Uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system.

The impact here is limited for anyone using storage.images_volume and storage.backups_volume as those users will have large uploads be stored on those volumes rather than directly on the host filesystem. This is the default behavior on IncusOS.

References

github.com/advisories/GHSA-98vh-x9cx-9cfp
github.com/lxc/incus
github.com/lxc/incus/releases/tag/v7.0.0
github.com/lxc/incus/security/advisories/GHSA-98vh-x9cx-9cfp
nvd.nist.gov/vuln/detail/CVE-2026-41685

Code Behaviors & Features

Detect and mitigate CVE-2026-41685 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →