CVE-2026-33542

Severity CVSS v4.0:

MEDIUM

Type:

CWE-295 Improper Certificate Validation

Publication date:

26/03/2026

Last modified:

26/03/2026

Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P CVSS v4.0 Severity and Metrics:

Base Score: 5.70 MEDIUM
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P

Attack Vector (AV): Network
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): High
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): High
Availability (SA): None
Exploit Maturity (E): POC

Base Score 4.0

5.70

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r