CVE-2026-33743

NameCVE-2026-33743
DescriptionIncus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie (security), trixie6.0.4-2+deb13u4vulnerable
forky6.0.6-1vulnerable
sid6.0.6-2fixed
lxd (PTS)bookworm5.0.2-5+deb12u2fixed
bookworm (security)5.0.2-5+deb12u3fixed
trixie (security), trixie5.0.2+git20231211.1364ae4-9+deb13u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)6.0.6-2
lxdsource(unstable)(not affected)

Notes

- lxd <not-affected> (Vulnerable code not present)
https://github.com/lxc/incus/pull/3092
https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3
Search for package or bug name: Reporting problems