CVE-2026-33542

NameCVE-2026-33542
DescriptionIncus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie (security), trixie6.0.4-2+deb13u4vulnerable
forky6.0.6-1vulnerable
sid6.0.6-2fixed
lxd (PTS)bookworm5.0.2-5+deb12u2vulnerable
bookworm (security)5.0.2-5+deb12u3vulnerable
trixie (security), trixie5.0.2+git20231211.1364ae4-9+deb13u3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)6.0.6-2
lxdsource(unstable)(unfixed)

Notes

https://github.com/lxc/incus/pull/3092
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r
Search for package or bug name: Reporting problems