Platform
go
Component
github.com/lxc/incus
Fixed in
6.23.1
6.23.0
CVE-2026-33542 describes a vulnerability in Incus, a Kubernetes-native storage orchestrator. This flaw stems from inadequate verification of combined fingerprints during image downloads from Simplestreams servers, potentially allowing malicious actors to inject compromised images into the system. The vulnerability impacts versions of Incus before 6.23.0, and a patch has been released to address the issue.
An attacker exploiting CVE-2026-33542 could craft a malicious container image and upload it to a Simplestreams server. Because Incus fails to properly verify the combined fingerprint during the download process, the orchestrator would unknowingly pull and deploy the compromised image. This could lead to a variety of consequences, including the execution of arbitrary code within containers, data exfiltration, and potential compromise of the entire Kubernetes cluster. The blast radius extends to any applications or services relying on images pulled from the affected Simplestreams repository. This vulnerability shares similarities with other image supply chain attacks where fingerprint verification is bypassed.
CVE-2026-33542 was publicly disclosed on 2026-04-07. The EPSS score is currently pending evaluation. No public proof-of-concept exploits are currently known, but the vulnerability's nature makes it a potential target for automated scanning and exploitation. Monitor CISA advisories and security mailing lists for updates.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33542 is to upgrade Incus to version 6.23.0 or later, which includes the necessary fingerprint verification fix. If immediate upgrading is not feasible, consider implementing stricter image scanning policies to detect potentially malicious images before deployment. Network segmentation can also limit the impact of a successful exploit by restricting access to Simplestreams servers. Monitor Simplestreams logs for unusual activity or unexpected image downloads. After upgrading, confirm the fix by attempting to download a known malicious image (in a test environment) and verifying that the download fails due to fingerprint verification.
Update Incus to version 6.23.0 or higher. This version corrects the lack of image fingerprint validation when downloading from simplestreams image servers, thus preventing image cache poisoning and the potential execution of attacker-controlled images.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33542 is a HIGH severity vulnerability in Incus affecting versions before 6.23.0. It allows attackers to potentially compromise container images by exploiting insufficient fingerprint verification when downloading from Simplestreams.
You are affected if you are running Incus versions prior to 6.23.0 and using Simplestreams for image storage and distribution. Upgrade to 6.23.0 to eliminate this risk.
Upgrade Incus to version 6.23.0 or later. This version includes the necessary fingerprint verification fix to prevent image compromise.
No public proof-of-concept exploits are currently known, but the vulnerability's nature makes it a potential target for exploitation. Continuous monitoring is recommended.
Refer to the official Incus project website and security advisories for the latest information and updates regarding CVE-2026-33542.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.