High severityNVD Advisory· Published Mar 26, 2026· Updated Mar 30, 2026
Incus does not verify combined fingerprint when downloading images from simplestreams servers
CVE-2026-33542
Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/lxc/incus/v6/clientGo | < 6.23.0 | 6.23.0 |
Affected products
3- ghsa-coords2 versions
< 6.23.0+ 1 more
- (no CPE)range: < 6.23.0
- (no CPE)range: < 6.23-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-p8mm-23gg-jc9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33542ghsaADVISORY
- github.com/lxc/incus/commit/04e97418189f743411884afb81a3384e6218b8cdghsaWEB
- github.com/lxc/incus/commit/4a80447c52d6bc05d3322feeb5395f581e7a80e4ghsaWEB
- github.com/lxc/incus/commit/72688b7d9400c8f3c17ad0f93a7c1aeb89627307ghsaWEB
- github.com/lxc/incus/commit/ee26f72524ab60a4abcfd4e52667c52bb24364fcghsaWEB
- github.com/lxc/incus/releases/tag/v6.23.0ghsaWEB
- github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.