CVE-2026-33542

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*

History

30 Mar 2026, 18:48

Type	Values Removed	Values Added
First Time		Linuxcontainers Linuxcontainers incus
References	~~() https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r -~~	() https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:linuxcontainers:incus::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) Incus es un gestor de contenedores de sistema y máquinas virtuales. Antes de la versión 6.23.0, una falta de validación de la huella digital de la imagen al descargar desde servidores de imágenes simplestreams abre la puerta al envenenamiento de la caché de imágenes y, bajo circunstancias muy estrechas, expone a otros inquilinos a ejecutar imágenes controladas por el atacante en lugar de la esperada. La versión 6.23.0 parchea el problema.

26 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 23:16

Updated : 2026-03-30 18:48

NVD link : CVE-2026-33542

Mitre link : CVE-2026-33542

CVE.ORG link : CVE-2026-33542

JSON object : View

Products Affected

linuxcontainers

incus

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2026-33542", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T23:16:20.113", "references": [{"url": "https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue."}, {"lang": "es", "value": "Incus es un gestor de contenedores de sistema y m\u00e1quinas virtuales. Antes de la versi\u00f3n 6.23.0, una falta de validaci\u00f3n de la huella digital de la imagen al descargar desde servidores de im\u00e1genes simplestreams abre la puerta al envenenamiento de la cach\u00e9 de im\u00e1genes y, bajo circunstancias muy estrechas, expone a otros inquilinos a ejecutar im\u00e1genes controladas por el atacante en lugar de la esperada. La versi\u00f3n 6.23.0 parchea el problema."}], "lastModified": "2026-03-30T18:48:50.393", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBE3ABCB-1D47-4A45-A09A-C9F609C53131", "versionEndExcluding": "6.23.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}