CVE-2026-33542
Incus does not verify combined fingerprint when downloading images from simplestreams servers
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
12th
Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
| CWE | CWE-295 |
| Vendor | lxc |
| Product | incus |
| Published | Mar 26, 2026 |
| Last Updated | Mar 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for lxc incus
Be the first to know when new unknown vulnerabilities affecting lxc incus are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
lxc / incus
< 6.23.0