CVE-2026-33542
Image Cache Poisoning in Incus Allows Attacker-Controlled Images
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxcontainers | incus | to 6.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Incus, a system container and virtual machine manager. Before version 6.23.0, Incus did not properly validate the image fingerprint when downloading images from simplestreams image servers. This lack of validation allows an attacker to poison the image cache, which under very specific conditions can cause other tenants to run attacker-controlled images instead of the intended ones.
How can this vulnerability impact me? :
The vulnerability can lead to image cache poisoning, which means that an attacker could cause your system to run malicious images instead of the expected ones. This could compromise the integrity and security of your containers or virtual machines. Under very narrow circumstances, this could also expose other tenants to attacker-controlled images, potentially leading to unauthorized access or execution of malicious code.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Incus to version 6.23.0 or later, as this version patches the issue related to image fingerprint validation.