CVE-2026-47753

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted)

Summary

(*backend).CreateInstanceFromBackup in internal/server/storage/backend.go contains a nil-pointer dereference that an authenticated user with permission to create instances in any project can trigger remotely by uploading a crafted backup tarball. The Incus daemon panics and the process crashes, causing denial of service to every project on that cluster member.

This is a sibling of GHSA-fwj8-62r8-8p8m, GHSA-r7w7-mmxr-47r9, and GHSA-x5r6-jr56-89pv (all assigned 2026-05-04). Those patches added guards on adjacent fields of the same backup/config.Config struct; the Volume field on the instance-import path was missed.

Vulnerable code

internal/server/storage/backend.go (current main, commit 1513600):

// Lines 763-767 — properly guarded:
var volumeConfig map[string]string
if srcBackup.Config != nil && srcBackup.Config.Volume != nil {
    volumeConfig = srcBackup.Config.Volume.Config
}

// ... a few lines later ...

// Line 795 — unguarded, dereferences Config.Volume directly: if srcBackup.Config.Volume.Config["block.type"] == drivers.BlockVolumeTypeQcow2 {

The caller createFromBackup in cmd/incusd/instances_post.go only verifies that Config and Config.Container are non-nil:

// instances_post.go:854
if bInfo.Config == nil || bInfo.Config.Container == nil {
    return response.BadRequest(errors.New("Backup file is missing required information"))
}

Volume is not checked. The Volume field on internal/server/backup/config.Config has type *api.StorageVolume with yaml:"volume,omitempty", so omitting volume: from a crafted backup/index.yaml decodes to nil. The subsequent unguarded deref on line 795 panics.

The panic happens on the HTTP request goroutine; no recover() is installed by CreateInstanceFromBackup or its callers, so the Go runtime kills the entire incusd process.

Reach

  • The attacker is any client authenticated to the Incus REST API (TLS client certificate, OIDC, or unix socket) with permission to create instances in at least one project. This is the most common low-trust authenticated user.
  • The attacker sends POST /1.0/instances?project= with Content-Type: application/octet-stream.
  • The body is an uncompressed tar (the same code path also accepts squashfs / gz / zstd / xz) containing one file, backup/index.yaml, whose config: block lists container: and pool: but omits volume:.
  • cmd/incusd/instances_post.go instancesPost -> createFromBackup -> the line 854 guard passes (Container is non-nil) -> pool.CreateInstanceFromBackup(*bInfo, backupFile, nil) -> internal/server/storage/backend.go:795 panics on srcBackup.Config.Volume.Config[...].
  • incusd process dies. All running operations on that cluster member are killed. Repeated requests = persistent denial of service.

Minimal crafted backup/index.yaml:

name: poc
backend: dir
pool: default
type: container
optimized: false
optimized_header: false
config:
  container:
    name: poc
    architecture: x86_64
    type: container
  pool:
    name: default
    driver: dir
  # volume intentionally absent

Proof of concept

A self-contained Go unit test imports the real internal/server/backup/config package, decodes the crafted YAML into the actual *backupConfig.Config struct used by the daemon, and executes the literal expression from backend.go:795. The test is intentionally inert (panics are recovered and reported as the expected outcome):

// internal/poc_repro/poc_nil_deref_volume_test.go
func TestPoCNilDerefVolumeImport(t *testing.T) {
    var bi pocInfo // mirrors internal/server/backup.Info, only Config is needed
    loader, _ := yaml.NewLoader(strings.NewReader(evilIndex))
    _ = loader.Load(&bi)

// bi.Config != nil, bi.Config.Container != nil (passes createFromBackup guard) // bi.Config.Volume == nil (passes the line 765 guard's else branch)

defer func() { _ = recover() }()

// Literal copy of backend.go:795. if bi.Config.Volume.Config["block.type"] == "qcow2" { // unreachable } }

Result against lxc/incus@1513600 on Go 1.26.1:

=== RUN   TestPoCNilDerefVolumeImport
    poc_nil_deref_volume_test.go:97: yaml decoded: Container != nil (passes createFromBackup guard), Volume == nil
    poc_nil_deref_volume_test.go:99: backend.go line 795 unguarded deref about to execute...
    poc_nil_deref_volume_test.go:123: CONFIRMED: nil-pointer panic at the exact line as backend.go:795 => runtime error: invalid memory address or nil pointer dereference
--- PASS: TestPoCNilDerefVolumeImport (0.00s)

A tarball builder + uploader (main.go) is included in the report's PoC bundle. The tarball is 2560 bytes and contains a single 547-byte backup/index.yaml.

Impact

  • Severity: denial of service against the entire incusd process. Every container / VM operation on the host (and on the cluster member, if clustered) is aborted; subsequent requests fail until the process is restarted by an operator or supervisor.
  • Privileges required: authenticated user with can_create permission on any project. The path is not behind the admin auth tier.
  • Network attack surface: the Incus REST API on :8443 (or unix socket).
  • CWE-476 — nil pointer dereference. CVSS estimate: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Suggested fix

Mirror the guard already present on line 765 a few lines higher into the path that hits line 795. For example:

if srcBackup.Config == nil || srcBackup.Config.Volume == nil {
    return nil, nil, errors.New("Backup config missing required volume metadata")
}

if srcBackup.Config.Volume.Config["block.type"] == drivers.BlockVolumeTypeQcow2 {

Alternatively, extend the existing createFromBackup precondition in cmd/incusd/instances_post.go:854 to also reject backups missing bInfo.Config.Volume. The latter is the smaller surface change and matches the pattern of CreateBucketFromBackup (backend.go:7848):

if srcBackup.Config == nil || srcBackup.Config.Bucket == nil {
    return errors.New("Valid bucket config not found in index")
}

Reporter notes

Reported via Privately-Reported Vulnerability against lxc/incus. Reporter: tonghuaroot. The reproducer test is non-destructive (no network, no filesystem mutation beyond the temp directory used by Go's test runner) and recovers the panic.

CVSS v3
EG Score
0.0(none)
EPSS
1.3%
KEV
Not listed

Published

June 10, 2026

Last Modified

June 10, 2026

Vendor Advisories for CVE-2026-47753(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/lxc/incus/v77.1.0

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-13 23:00 UTCEPSS rescore
  3. 2026-06-13 18:19 UTCEG score recompute
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-10 20:17 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47753?
CVE-2026-47753 is a medium vulnerability published on June 10, 2026. Incus has a Nil-Pointer Dereference Panic via Instance Backup Import (volume omitted) Summary (*backend).CreateInstanceFromBackup in internal/server/storage/backend.go contains a nil-pointer dereference that an authenticated user with permission to create instances in any project can trigger…
When was CVE-2026-47753 disclosed?
CVE-2026-47753 was first published in the National Vulnerability Database on June 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47753 actively exploited?
CVE-2026-47753 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 1.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-47753?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47753, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47753

Explore →

Is Your Infrastructure Affected by CVE-2026-47753?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.