CVE-2026-33542

Publication date 30 March 2026

Last updated 30 March 2026

Ubuntu priority

Description

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
incus	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release
lxd	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-33542
https://github.com/lxc/incus/pull/3092
https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r

CVE-2026-33542

Description

Status

References

Other references

Access our resources on patching vulnerabilities