Plattform
go
Komponente
github.com/lxc/incus
Behoben in
6.23.1
6.23.0
CVE-2026-33542 describes a vulnerability in Incus, a Kubernetes-native storage orchestrator. This flaw stems from inadequate verification of combined fingerprints during image downloads from Simplestreams servers, potentially allowing malicious actors to inject compromised images into the system. The vulnerability impacts versions of Incus before 6.23.0, and a patch has been released to address the issue.
An attacker exploiting this vulnerability could craft a malicious container image and distribute it through a compromised simplestreams server. When Incus downloads this image without proper fingerprint verification, it will be treated as legitimate. This allows the attacker to execute arbitrary code within the container, potentially gaining control of the underlying host or accessing sensitive data. The blast radius extends to any application or service relying on containers pulled from the affected simplestreams server. This is particularly concerning in Kubernetes environments where container images are a core component of application deployment.
CVE-2026-33542 was publicly disclosed on 2026-04-07. There is no current indication of active exploitation or KEV listing. The vulnerability's impact relies on controlling or compromising a simplestreams server, which could be a complex prerequisite. Public proof-of-concept exploits are not currently available.
Organizations heavily reliant on containerized applications managed by Incus, particularly those using Simplestreams for image storage and distribution, are at risk. Environments with limited image scanning capabilities or weak network segmentation policies are especially vulnerable.
• go / application: Examine Incus logs for errors related to image downloads and fingerprint verification. Use go tool pprof to analyze Incus's performance and identify potential bottlenecks related to fingerprinting.
• generic web: Monitor Simplestreams server logs for unusual image upload patterns or requests from Incus instances.
• linux / server: Use journalctl -u incus to check for error messages related to image downloads and fingerprint verification failures. Implement auditd rules to monitor access to the Simplestreams API.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33542 is to upgrade Incus to version 6.23.0 or later, which includes the necessary fingerprint verification fix. If immediate upgrade is not feasible, consider temporarily disabling image downloads from the vulnerable simplestreams server. Implementing network segmentation to isolate Incus from untrusted networks can also reduce the attack surface. Monitor Incus logs for any unusual image download activity. While a WAF is unlikely to directly address this, ensuring the simplestreams server itself is secured is crucial.
Aktualisieren Sie Incus auf Version 6.23.0 oder höher. Diese Version behebt das Fehlen der Fingerabdruckvalidierung beim Herunterladen von Images von simplestreams Servern, wodurch Image-Cache-Vergiftungen und die mögliche Ausführung von Angreifer-kontrollierten Images vermieden werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33542 is a HIGH severity vulnerability in Incus affecting versions before 6.23.0. It allows attackers to potentially compromise container images by exploiting insufficient fingerprint verification when downloading from Simplestreams.
You are affected if you are running Incus versions prior to 6.23.0 and using Simplestreams for image storage and distribution. Upgrade to 6.23.0 to eliminate this risk.
Upgrade Incus to version 6.23.0 or later. This version includes the necessary fingerprint verification fix to prevent image compromise.
No public proof-of-concept exploits are currently known, but the vulnerability's nature makes it a potential target for exploitation. Continuous monitoring is recommended.
Refer to the official Incus project website and security advisories for the latest information and updates regarding CVE-2026-33542.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.