The Incus team has just announced the release of version 6.21 of its container & virtual machine manager, a community-driven fork of LXD, created after Canonical changed LXD’s governance and moved it under its umbrella.
The most important changes address two high-severity security vulnerabilities, CVE-2026-23953 and CVE-2026-23954. Both issues could allow privilege escalation by otherwise restricted users, including local users in the incus group or remote users authenticated with limited TLS certificates or equivalent authorization mechanisms.
Beyond security, Incus 6.21 introduces a new incus wait command to improve automation workflows. The command allows scripts and operators to wait for specific instance conditions, such as reaching a defined state, the VM agent becoming available, or the instance acquiring an IP address.
Networking sees several notable improvements. SR-IOV network interfaces now benefit from automatic device selection logic similar to that introduced by Incus for GPUs. Administrators can request NICs by vendor and product ID, while Incus selects the most appropriate physical device and balances virtual functions across available hardware.
Additional control over network interfaces has been added through two new properties: attached and connected. These allow administrators to fully detach a NIC from an instance while preserving its configuration, or to keep the interface present but disconnected from the network.
Startup performance has also improved, as Incus 6.21 now starts instances in parallel for projects that do not use startup priorities or delays, scaling concurrency based on available CPU threads, thereby significantly reducing boot times.
For environments using OpenID Connect authentication, Incus 6.21 adds support for restricting API access based on client network location. A new incus.allowed_subnets OIDC claim allows administrators to define which CIDR ranges a client must connect from, enabling enforcement of VPN usage or site-specific access policies directly at the API level.
DNS handling has been refined with better support for SOA records in network zones. Generated zones now follow more standard conventions, use the first configured DNS server as the primary server, and include a new option to customize the SOA record’s contact field.
Finally, the API gains support for forceful recursive file deletion. A new X-Incus-force HTTP header allows clients using the REST API to request recursive deletion of filesystem trees, matching functionality already available through the SFTP-based file API.
For more information about the Incus 6.21 container and virtual machine manager changes, visit the release announcement or check out the full changelog.
Users are encouraged to try out these new features by visiting the Incus online platform, which provides a hands-on experience with the latest version.
