CVE-2026-33542
Received Received - Intake
Image Cache Poisoning in Incus Allows Attacker-Controlled Images

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33542
EUVD
EUVD-2026-16460
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxcontainers incus to 6.23.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Incus, a system container and virtual machine manager. Before version 6.23.0, Incus did not properly validate the image fingerprint when downloading images from simplestreams image servers. This lack of validation allows an attacker to poison the image cache, which under very specific conditions can cause other tenants to run attacker-controlled images instead of the intended ones.

Impact Analysis

The vulnerability can lead to image cache poisoning, which means that an attacker could cause your system to run malicious images instead of the expected ones. This could compromise the integrity and security of your containers or virtual machines. Under very narrow circumstances, this could also expose other tenants to attacker-controlled images, potentially leading to unauthorized access or execution of malicious code.

Mitigation Strategies

To mitigate this vulnerability, upgrade Incus to version 6.23.0 or later, as this version patches the issue related to image fingerprint validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33542. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart