UBUNTU-CVE-2026-41684

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-41684

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-41684

Upstream

CVE-2026-41684

Published

2026-05-07T14:16:00Z

Modified

2026-05-20T16:25:42.302958084Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0.

References

Affected packages

Ubuntu:20.04:LTS

lxd

Package

Name: lxd
Purl: pkg:deb/ubuntu/lxd?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:0.*

1:0.7

1:0.8

1:0.9

1:0.10

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "lxd",
            "binary_version": "1:0.10"
        },
        {
            "binary_name": "lxd-client",
            "binary_version": "1:0.10"
        },
        {
            "binary_name": "lxd-tools",
            "binary_version": "1:0.10"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"

Ubuntu:25.10

incus

Package

Name: incus
Purl: pkg:deb/ubuntu/incus?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.0.3-4

6.0.4-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-lxc-incus-dev",
            "binary_version": "6.0.4-2"
        },
        {
            "binary_name": "incus",
            "binary_version": "6.0.4-2"
        },
        {
            "binary_name": "incus-agent",
            "binary_version": "6.0.4-2"
        },
        {
            "binary_name": "incus-base",
            "binary_version": "6.0.4-2"
        },
        {
            "binary_name": "incus-client",
            "binary_version": "6.0.4-2"
        },
        {
            "binary_name": "incus-extra",
            "binary_version": "6.0.4-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"

Ubuntu:26.04:LTS

incus

Package

Name: incus
Purl: pkg:deb/ubuntu/incus?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.0.4-2

6.0.5-8

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-lxc-incus-dev",
            "binary_version": "6.0.5-8"
        },
        {
            "binary_name": "incus",
            "binary_version": "6.0.5-8"
        },
        {
            "binary_name": "incus-agent",
            "binary_version": "6.0.5-8"
        },
        {
            "binary_name": "incus-base",
            "binary_version": "6.0.5-8"
        },
        {
            "binary_name": "incus-client",
            "binary_version": "6.0.5-8"
        },
        {
            "binary_name": "incus-extra",
            "binary_version": "6.0.5-8"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"

Ubuntu:Pro:16.04:LTS

lxd

Package

Name: lxd
Purl: pkg:deb/ubuntu/lxd?arch=source&distro=esm-infra%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.20-0ubuntu4

0.21-0ubuntu3

0.21-0ubuntu5

0.22-0ubuntu1

0.22-0ubuntu2

0.23-0ubuntu1

0.23-0ubuntu2

0.23-0ubuntu3

0.24-0ubuntu2

0.24-0ubuntu3

0.24-0ubuntu4

0.25-0ubuntu1

0.26-0ubuntu2

0.26-0ubuntu3

0.27-0ubuntu1

0.27-0ubuntu2

2.*

2.0.0~beta1-0ubuntu3

2.0.0~beta1-0ubuntu4

2.0.0~beta2-0ubuntu1

2.0.0~beta2-0ubuntu2

2.0.0~beta3-0ubuntu1

2.0.0~beta3-0ubuntu2

2.0.0~beta3-0ubuntu3

2.0.0~beta3-0ubuntu4

2.0.0~beta4-0ubuntu1

2.0.0~beta4-0ubuntu2

2.0.0~beta4-0ubuntu3

2.0.0~beta4-0ubuntu4

2.0.0~beta4-0ubuntu5

2.0.0~beta4-0ubuntu6

2.0.0~beta4-0ubuntu7

2.0.0~rc1-0ubuntu1

2.0.0~rc1-0ubuntu2

2.0.0~rc1-0ubuntu3

2.0.0~rc2-0ubuntu2

2.0.0~rc2-0ubuntu3

2.0.0~rc3-0ubuntu1

2.0.0~rc3-0ubuntu2

2.0.0~rc3-0ubuntu3

2.0.0~rc3-0ubuntu4

2.0.0~rc4-0ubuntu1

2.0.0~rc5-0ubuntu1

2.0.0~rc6-0ubuntu1

2.0.0~rc6-0ubuntu2

2.0.0~rc7-0ubuntu1

2.0.0~rc7-0ubuntu2

2.0.0~rc8-0ubuntu1

2.0.0~rc8-0ubuntu2

2.0.0~rc8-0ubuntu3

2.0.0~rc8-0ubuntu5

2.0.0~rc8-0ubuntu6

2.0.0~rc8-0ubuntu7

2.0.0~rc9-0ubuntu2

2.0.0~rc9-0ubuntu3

2.0.0~rc9-0ubuntu4

2.0.0~rc9-0ubuntu5

2.0.0-0ubuntu1

2.0.0-0ubuntu2

2.0.0-0ubuntu3

2.0.0-0ubuntu4

2.0.1-0ubuntu1~16.04.1

2.0.2-0ubuntu1~16.04.1

2.0.3-0ubuntu1~ubuntu16.04.2

2.0.4-0ubuntu1~ubuntu16.04.1

2.0.5-0ubuntu1~ubuntu16.04.1

2.0.8-0ubuntu1~ubuntu16.04.1

2.0.8-0ubuntu1~ubuntu16.04.2

2.0.9-0ubuntu1~16.04.1

2.0.9-0ubuntu1~16.04.2

2.0.10-0ubuntu1~16.04.1

2.0.10-0ubuntu1~16.04.2

2.0.11-0ubuntu1~16.04.2

2.0.11-0ubuntu1~16.04.4

2.0.11-0ubuntu1~16.04.4+esm1

2.0.11-0ubuntu1~16.04.4+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-lxc-lxd-dev",
            "binary_version": "2.0.11-0ubuntu1~16.04.4+esm2"
        },
        {
            "binary_name": "lxc2",
            "binary_version": "2.0.11-0ubuntu1~16.04.4+esm2"
        },
        {
            "binary_name": "lxd",
            "binary_version": "2.0.11-0ubuntu1~16.04.4+esm2"
        },
        {
            "binary_name": "lxd-client",
            "binary_version": "2.0.11-0ubuntu1~16.04.4+esm2"
        },
        {
            "binary_name": "lxd-tools",
            "binary_version": "2.0.11-0ubuntu1~16.04.4+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"

Ubuntu:Pro:18.04:LTS

lxd

Package

Name: lxd
Purl: pkg:deb/ubuntu/lxd?arch=source&distro=esm-infra%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.18-0ubuntu6

2.19-0ubuntu1

2.20-0ubuntu3

2.20-0ubuntu4

2.21-0ubuntu1

2.21-0ubuntu2

2.21-0ubuntu3

2.21-0ubuntu4

3.*

3.0.0~beta2-0ubuntu3

3.0.0~beta3-0ubuntu3

3.0.0~beta5-0ubuntu2

3.0.0~beta7-0ubuntu1

3.0.0-0ubuntu1

3.0.0-0ubuntu2

3.0.0-0ubuntu3

3.0.0-0ubuntu4

3.0.1-0ubuntu1~18.04.1

3.0.2-0ubuntu1~18.04.1

3.0.3-0ubuntu1~18.04.1

3.0.3-0ubuntu1~18.04.2

3.0.3-0ubuntu1~18.04.2+esm1

3.0.3-0ubuntu1~18.04.2+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "lxd",
            "binary_version": "3.0.3-0ubuntu1~18.04.2+esm2"
        },
        {
            "binary_name": "lxd-client",
            "binary_version": "3.0.3-0ubuntu1~18.04.2+esm2"
        },
        {
            "binary_name": "lxd-tools",
            "binary_version": "3.0.3-0ubuntu1~18.04.2+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"

Ubuntu:Pro:24.04:LTS

incus

Package

Name: incus
Purl: pkg:deb/ubuntu/incus?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4-1ubuntu1

0.5.1-1

0.5.1-3

0.6-1

6.*

6.0.0-1

6.0.0-1ubuntu0.1

6.0.0-1ubuntu0.2

6.0.0-1ubuntu0.2+esm1

6.0.0-1ubuntu0.3

6.0.0-1ubuntu0.3+esm1

6.0.0-1ubuntu0.3+esm2

6.0.0-1ubuntu0.3+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-lxc-incus-dev",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        },
        {
            "binary_name": "incus",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        },
        {
            "binary_name": "incus-agent",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        },
        {
            "binary_name": "incus-client",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        },
        {
            "binary_name": "incus-migrate",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        },
        {
            "binary_name": "incus-tools",
            "binary_version": "6.0.0-1ubuntu0.3+esm3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41684.json"