CVE-2026-33743: Incus vulnerable to denial of source through crafted bucket backup file

March 27, 2026

A specially crafted storage bucket backup can be used by an user with access to Incus’ storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API.

This does not impact any running workload, existing containers and virtual machines will keep operating.

References

github.com/advisories/GHSA-vg76-xmhg-j5x3
github.com/lxc/incus
github.com/lxc/incus/commit/4bca6332e8227a5f25f74b51a66b7382e9133aaa
github.com/lxc/incus/releases/tag/v6.23.0
github.com/lxc/incus/security/advisories/GHSA-vg76-xmhg-j5x3
nvd.nist.gov/vuln/detail/CVE-2026-33743

Code Behaviors & Features

Detect and mitigate CVE-2026-33743 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →