Skip to main content

Red Hat CVE-2026-33542

| EUVDEUVD-2026-16460 MEDIUM
Improper Certificate Validation (CWE-295)
2026-03-26 GitHub_M GHSA-p8mm-23gg-jc9r
5.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Red Hat
8.5 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 23:01 euvd
EUVD-2026-16460
Analysis Generated
Mar 26, 2026 - 23:01 vuln.today
CVE Published
Mar 26, 2026 - 22:32 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Version 6.23.0 patches the issue.

AnalysisAI

Incus versions prior to 6.23.0 fail to validate image fingerprints when downloading from simplestreams servers, enabling attackers with local privileges to poison the image cache and potentially cause other tenants to execute attacker-controlled container or virtual machine images instead of legitimate ones. The vulnerability requires local authentication and specific conditions but carries high integrity impact in multi-tenant environments; no active exploitation has been confirmed.

Technical ContextAI

Incus (cpe:2.3:a:lxc:incus:*:*:*:*:*:*:*:*) is a system container and virtual machine manager that orchestrates container and VM deployments. The vulnerability stems from CWE-295 (Improper Certificate Validation), specifically the absence of cryptographic verification of image fingerprints during download operations from simplestreams image repositories. Simplestreams is a protocol for publishing streams of cloud images with metadata; proper validation requires verifying the cryptographic digest (fingerprint) of downloaded image artifacts matches the expected value advertised in repository metadata. The lack of this validation creates a window for cache poisoning attacks where an attacker with local credentials could intercept or influence the download process to substitute a malicious image, which would then be cached and served to other tenants requesting the same image identifier.

RemediationAI

Upgrade Incus to version 6.23.0 or later immediately. This is the vendor-released patch that restores cryptographic validation of image fingerprints. Organizations unable to patch immediately should restrict network access to simplestreams repositories to trusted, authenticated channels only; implement image pull verification workflows that independently validate fingerprints outside the Incus download path; and segregate multi-tenant deployments to minimize blast radius if cache poisoning occurs. Consult the GitHub security advisory (https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r) for additional mitigation guidance and patch verification procedures.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy