CVE-2026-33542
Incus does not verify combined fingerprint when downloading images from simplestreams servers in github.com/lxc/incus
4.8
MEDIUM
CVSS 3.1
EPSS 0.02%
Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
How to fix CVE-2026-33542
To remediate CVE-2026-33542, upgrade the affected package to a fixed version below.
- —upgrade to 6.0.4-2+deb13u5 or later
- —upgrade to 5.0.2-5+deb12u4 or later
- —no fix listed
- —upgrade to 6.23.0 or later
- —upgrade to 6.23.0 or later
Is CVE-2026-33542 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 6.0.4-2+deb13u5
- from 0, < 5.0.2-5+deb12u4
- from 0
- from 0, < 6.23.0
- from 0, < 6.23.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:H/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |