CVE-2026-41648

UNKNOWN 0.0

Incus: Unbounded YAML Metadata Decode via Parsing

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0.

CWE	CWE-770
Vendor	lxc
Product	incus
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for lxc incus

Be the first to know when new unknown vulnerabilities affecting lxc incus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

lxc / incus

< 7.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75x github.com: https://github.com/lxc/incus/releases/tag/v7.0.0