CVE-2026-41685

NameCVE-2026-41685
DescriptionIncus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_volume and storage.backups_volume as those users will have large uploads be stored on those volumes rather than directly on the host filesystem. This is the default behavior on IncusOS. This issue has been patched in version 7.0.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6244-1, DSA-6247-1
Debian Bugs1135644

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie (security), trixie6.0.4-2+deb13u7fixed
forky, sid7.0.0-1fixed
lxd (PTS)bookworm, bookworm (security)5.0.2-5+deb12u6fixed
trixie (security), trixie5.0.2+git20231211.1364ae4-9+deb13u6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussourcetrixie6.0.4-2+deb13u7DSA-6244-1
incussource(unstable)7.0.0-11135644
lxdsourcebookworm5.0.2-5+deb12u6DSA-6247-1
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u6DSA-6247-1
lxdsource(unstable)(unfixed)

Notes

https://github.com/lxc/incus/security/advisories/GHSA-98vh-x9cx-9cfp
https://github.com/lxc/incus/pull/3273
Search for package or bug name: Reporting problems