Vulnerability Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any running workload, existing containers and virtual machines will keep operating. Version 6.23.0 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxcontainers | Incus | < 6.23.0 |
Related Weaknesses (CWE)
References
- https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3ExploitVendor Advisory
- https://github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3ExploitVendor Advisory
FAQ
What is CVE-2026-33743?
CVE-2026-33743 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash...
How severe is CVE-2026-33743?
CVE-2026-33743 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33743?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxcontainers Incus.