{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33743", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-26T22:40:07.499Z", "dateUpdated": "2026-03-27T13:53:39.299Z"}, "containers": {"cna": {"title": "Incus vulnerable to denial of source through crafted bucket backup file", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3"}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"version": "< 6.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T22:40:07.499Z"}, "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue."}], "source": {"advisory": "GHSA-vg76-xmhg-j5x3", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:27:44.938386Z", "id": "CVE-2026-33743", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:53:39.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33743", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T13:27:44.938386Z"}}}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:27:39.027Z"}}], "cna": {"title": "Incus vulnerable to denial of source through crafted bucket backup file", "source": {"advisory": "GHSA-vg76-xmhg-j5x3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "lxc", "product": "incus", "versions": [{"status": "affected", "version": "< 6.23.0"}]}], "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3", "name": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T22:40:07.499Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33743", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:53:39.299Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T22:40:07.499Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "matchCriteriaId": "CBE3ABCB-1D47-4A45-A09A-C9F609C53131", "versionEndExcluding": "6.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Antes de la versi\u00f3n 6.23.0, una copia de seguridad de bucket de almacenamiento especialmente dise\u00f1ada puede ser utilizada por un usuario con acceso a la caracter\u00edstica de bucket de almacenamiento de Incus para hacer fallar el demonio de Incus. El uso repetido de este ataque puede ser utilizado para mantener el servidor fuera de l\u00ednea, causando una denegaci\u00f3n de servicio de la API del plano de control. Esto no tiene impacto en ninguna carga de trabajo en ejecuci\u00f3n; los contenedores y m\u00e1quinas virtuales existentes seguir\u00e1n funcionando. La versi\u00f3n 6.23.0 corrige el problema."}], "id": "CVE-2026-33743", "lastModified": "2026-03-30T18:54:51.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T23:16:20.583", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "incus: Incus: Denial of Service via specially crafted storage bucket backup", "id": "2452024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452024"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1286", "details": ["A flaw was found in Incus, a system container and virtual machine manager. A user with access to Incus' storage bucket feature can exploit this vulnerability by using a specially crafted storage bucket backup. This can cause the Incus daemon to crash, leading to a denial of service of the control plane API. Repeated exploitation can keep the server offline, though existing containers and virtual machines will continue to operate."], "name": "CVE-2026-33743", "public_date": "2026-03-26T22:40:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33743\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33743\nhttps://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3"], "statement": "This Moderate impact flaw in Incus allows a user with access to the storage bucket feature to trigger a denial of service of the control plane API by providing a specially crafted storage bucket backup. While the Incus daemon may crash, existing containers and virtual machines will continue to operate without interruption. This affects Incus as distributed in Fedora.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.23.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "incus", "source": "cna", "vendor": "lxc"}, "product": "incus", "vendor": "lxc"}], "analysis": {"en": {"generated_at": "2026-03-30T21:07:06.812596+00:00", "value": {"mitigation_remediation": ["Upgrade to Incus version\u202f6.23.0 or later to eliminate the vulnerability", "Restrict or disable the storage\u2011bucket feature for users who do not require it", "Revoke or suspend untrusted users\u2019 permissions to create or upload bucket backups until a patch is applied", "Monitor Incus daemon logs for crashes and implement automated restart procedures if feasible"], "summary": {"action": "Patch Now", "impact": "Denial of Service of the Incus control plane API"}, "threat_synthesis": {"affected_systems": "The vulnerability affects LinuxContainers\u2019 Incus system container and virtual machine manager, all releases older than version\u202f6.23.0. Any user who can access the storage\u2011bucket feature \u2013 either locally or remotely \u2013 can trigger the crash. The issue is limited to the Incus daemon; the underlying workloads are unaffected.", "description_and_impact": "A specially crafted storage\u2011bucket backup file can cause the Incus daemon to crash. The crash disables the control plane API, resulting in a denial of service for users. The failure does not affect already\u2011running containers or virtual machines, and the loss of service can persist until the daemon is restarted. The weakness arises from improper handling of user\u2011supplied data and unchecked memory allocation, corresponding to CWE\u20111286 and CWE\u2011770.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates medium severity. The EPSS score of less than\u202f1\u202f% suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to submit a crafted backup via the storage\u2011bucket API, which typically requires user privileges. Repeated use can keep the control plane offline, but the impact is confined to service availability rather than confidentiality or integrity."}}}}, "created": "2026-03-27T08:31:29.343885+00:00", "updated": "2026-03-31T20:01:24.312295+00:00", "vendors": ["lxc", "lxc$PRODUCT$incus"]}