Fluid Attacks Database

Description

Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/lxc/incus/v6/cmd/incusd	>=0 <=6.23.0	-
debian 13	incus	=6.0.4-2 \|\| =6.0.4-2+deb13u1 \|\| =6.0.4-2+deb13u1~bpo12+1 \|\| =6.0.4-2+deb13u2 \|\| =6.0.4-2+deb13u2~bpo12+1 \|\| =6.0.4-2+deb13u3 \|\| =6.0.4-2+deb13u3~bpo12+1 \|\| =6.0.4-2+deb13u4 \|\| =6.0.4-2+deb13u4~bpo12+1 \|\| =6.0.4-2+deb13u5 \|\| =6.0.4-2+deb13u5~bpo12+1 \|\| =6.0.4-2+deb13u6 \|\| =6.0.4-2+deb13u6~bpo12+1 \|\| =6.0.4-2+deb13u7~bpo12+1 \|\| >=0 <6.0.4-2+deb13u7	6.0.4-2+deb13u7
debian 14	incus	=6.0.4-2 \|\| =6.0.4-3 \|\| =6.0.5-1 \|\| =6.0.5-2 \|\| =6.0.5-3 \|\| =6.0.5-4 \|\| =6.0.5-5 \|\| =6.0.5-6 \|\| =6.0.5-7 \|\| =6.0.5-8 \|\| =6.0.6-1 \|\| =6.0.6-2 \|\| =6.0.6-3 \|\| =6.14.0-1~exp1 \|\| =6.15.0-1~exp1 \|\| =6.16.0-1~exp1 \|\| =6.17.0-1~exp1 \|\| =6.20.0-1~exp1 \|\| =6.21.0-1~exp1 \|\| =6.22.0-1~exp1 \|\| =6.23.0-1~exp1 \|\| >=0 <7.0.0-1	7.0.0-1

Aliases

1. CVE-2026-416472. NVD-2026-416473. OSV-2026-416474. OSV-DEBIAN-2026-416475. GHSA-fwj8-62r8-8p8m6. GCVE-2026-416477. SECURITY-TRACKER-CVE-2026-41647

References

1. https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m2. https://github.com/lxc/incus/releases/tag/v7.0.0