CVE-2026-33542
Last modified
CVE-2026-33542 is a medium-severity vulnerability rated 5.7/10 on the CVSS scale. Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. EPSS estimates a 0.18% chance of exploitation in the next 30 days.
Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linuxcontainers | Incus | < 6.23.0 |
References
- https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9rExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33542?
How severe is CVE-2026-33542?
How do I fix CVE-2026-33542?
Are you affected by CVE-2026-33542?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST