CVE-2026-33542

NameCVE-2026-33542
DescriptionIncus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6184-1, DSA-6188-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie (security), trixie6.0.4-2+deb13u7fixed
forky7.0.0-1fixed
sid7.0.0-2fixed
lxd (PTS)bookworm, bookworm (security)5.0.2-5+deb12u6fixed
trixie (security), trixie5.0.2+git20231211.1364ae4-9+deb13u6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussourcetrixie6.0.4-2+deb13u5DSA-6184-1
incussource(unstable)6.0.6-2
lxdsourcebookworm5.0.2-5+deb12u4DSA-6188-1
lxdsourcetrixie5.0.2+git20231211.1364ae4-9+deb13u4DSA-6188-1
lxdsource(unstable)(unfixed)

Notes

https://github.com/lxc/incus/pull/3092
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r
Search for package or bug name: Reporting problems