CVE-2026-33542 | THREATINT

Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

PUBLISHED Reserved 2026-03-20 | Published 2026-03-26 | Updated 2026-03-30 | Assigner GitHub_M

MEDIUM: 5.7CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P

Problem types

CWE-295: Improper Certificate Validation

Product status

< 6.23.0

affected

References

github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r

cve.org (CVE-2026-33542)

nvd.nist.gov (CVE-2026-33542)

Download JSON