CVE-2026-33542

Name of the Vulnerable Software and Affected Versions Incus versions prior to 6.23.0

Description Incus lacks validation of the image fingerprint when downloading from simplestreams image servers. This can lead to image cache poisoning, potentially allowing an attacker to provide a compromised image to other users on the system under narrow circumstances. An attacker requires access to an Incus server without proper image source restrictions (like restricted.image.servers or equivalent firewall rules) and the ability to predict which images other users might deploy. The attack involves serving a compromised image with the same fingerprint as a legitimate one, potentially replacing the legitimate image in the cache. This could affect systems running ephemeral instances for CI or build purposes, where image usage is more predictable.

Recommendations Versions prior to 6.23.0 should be updated to version 6.23.0 or later. As a temporary workaround, configure restricted.image.servers in the project configuration or implement equivalent firewall or HTTP proxy policies to restrict image sources.