CVE-2026-41685 — Incus is a system container and virtual machine manager.
CVE-2026-41685 — Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_vol
What This Means For You
- If your environment is affected by CWE-770, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-41685 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Incus Large Data Upload Exhausting Disk Space - CVE-2026-41685
title: Incus Large Data Upload Exhausting Disk Space - CVE-2026-41685
id: scw-2026-05-07-ai-1
status: experimental
level: medium
description: |
Detects the execution of the 'incus' binary with commands related to storage creation, which could indicate an authenticated user attempting to upload a large amount of data to exhaust disk space, as described in CVE-2026-41685. This rule targets the core vulnerability where large uploads by authenticated users can lead to disk space exhaustion.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41685/
tags:
- attack.defense_evasion
- attack.t1499
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '/incus'
CommandLine|contains:
- 'storage.create'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41685 | vulnerability | CVE-2026-41685 |
| CWE-770 | weakness | CWE-770 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 17:16 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44264 — Weblate is a web based localization tool. Prior to version
CVE-2026-44264 — Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't...
CVE-2026-44263 — Weblate is a web based localization tool. Prior to version
CVE-2026-44263 — Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of...
gnutls CVE-2026-42011: Certificate Validation Bypass Poses MITM Risk
CVE-2026-42011 — A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had...