CVE-2026-33542 MEDIUM

CVE-2026-33542: Incus does not verify combined fingerprint when downloading images from simplestreams servers

Vendor Lxc
Product incus
Weakness CWE-295
Published March 26, 2026
Last update March 30, 2026

CVSS base score

5.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P

What the vulnerability does

01Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 30, 2026 Record updated