Vulnerability DatabaseCVE-2026-33542
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-33542
March 26, 2026
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
Affected Packages
https://github.com/lxc/incus.git (GITHUB):
Affected version(s) >=v0.1.0 <v6.23.0
Fix Suggestion:
Update to version v6.23.0
Related Resources (8)
https://github.com/lxc/incus/commit/ee26f72524ab60a4abcfd4e52667c52bb24364fc
https://github.com/lxc/incus
https://github.com/lxc/incus/commit/04e97418189f743411884afb81a3384e6218b8cd
https://nvd.nist.gov/vuln/detail/CVE-2026-33542
https://github.com/lxc/incus/releases/tag/v6.23.0
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r
https://github.com/lxc/incus/commit/4a80447c52d6bc05d3322feeb5395f581e7a80e4
https://github.com/lxc/incus/commit/72688b7d9400c8f3c17ad0f93a7c1aeb89627307
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Certificate Validation
CWE-295
Improper Validation of Integrity Check Value
CWE-354
EPSS
Base Score:
0.04