CVE-2026-33542

EUVD-2026-16460
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
linuxcontainersincus
𝑥
< 6.23.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
incus
forky
6.0.6-3
fixed
sid
7.0.0-1
fixed
trixie
vulnerable
trixie (security)
6.0.4-2+deb13u7
fixed
lxd
bookworm
vulnerable
bookworm (security)
5.0.2-5+deb12u6
fixed
trixie
vulnerable
trixie (security)
5.0.2+git20231211.1364ae4-9+deb13u6
fixed
Common Weakness Enumeration
References
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r