Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2026-40243

Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.8, indicating it can be exploited remotely over the network but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts limited data confidentiality, limited integrity, for affected systems. Impacting 1 product from linuxcontainers organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2026, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2026-05-06T21:16:01.070

Last Modified

2026-05-08T17:23:38.943

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-295

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linuxcontainers	incus	< 7.0.0	Yes

References

https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icnb.go Product ([email protected])
https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icsb.go Product ([email protected])
https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_nb.go Product ([email protected])
https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_sb.go Product ([email protected])
https://github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3 Exploit, Vendor Advisory ([email protected])
https://github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3 Exploit, Vendor Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For linuxcontainers's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.