Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
Published: 2026-03-26
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Image Execution
Action: Immediate Patch
AI Analysis

Impact

Incus, a container and virtual machine manager, did not verify the combined fingerprint of images downloaded from simplestreams servers. This omission allows an attacker to poison the image cache, potentially causing other tenants to pull and run attacker‑controlled images instead of the intended ones. The weakness can lead to code execution within the affected containers, exposing confidentiality, integrity, and availability of the host and other tenants.

Affected Systems

The vulnerability affects all Incus installations up to and including version 6.23.0. It arises when the system retrieves images from simplestreams image servers. Versions 6.23.0 and later incorporate a fix that validates image fingerprints during download.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS information is not available and the vulnerability is not listed in the KEV catalog, suggesting limited known exploitation at present. The likely attack vector involves an attacker controlling or compromising a simplestreams image repository, enabling the delivery of a malicious image that bypasses the cache. Once delivered, the attacker could execute arbitrary code within the target container, potentially affecting other tenants sharing the host.

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Incus to version 6.23.0 or later.

Generated by OpenCVE AI on March 27, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-354
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lxc
Lxc incus
Vendors & Products Lxc
Lxc incus

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
Title Incus does not verify combined fingerprint when downloading images from simplestreams servers
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P'}

Subscriptions

Lxc Incus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T22:32:13.733Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33542

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T23:16:20.113

Modified: 2026-03-26T23:16:20.113

Link: CVE-2026-33542

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T22:32:13Z

Links: CVE-2026-33542 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:55Z

Weaknesses