CVE-2026-33743
Incus vulnerable to denial of source through crafted bucket backup file
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
12th
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
| CWE | CWE-770 |
| Vendor | lxc |
| Product | incus |
| Published | Mar 26, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for lxc incus
Be the first to know when new medium vulnerabilities affecting lxc incus are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
lxc / incus
< 6.23.0