CVE-2026-33542

MEDIUM

Incus does not verify combined fingerprint when downloading images from simplestreams servers

Title source: cna

Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

References (1)

[X_Refsource_Confirm] https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r

Scores

CVSS v3 4.8

EPSS 0.0004

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (3)

linuxcontainers/incus < 6.23.0

lxc/incus 0 - 6.23.0Go

lxc/incus < 6.23.0

Published Mar 26, 2026

Tracked Since Mar 27, 2026