Incus versions prior to 6.23.0 contain a medium-severity vulnerability tracked as CVE-2026-33542, disclosed in late March 2026. The flaw stems from a missing combined fingerprint verification when downloading container images, potentially allowing attackers to poison the local image cache. Administrators running Incus in development, testing, or production environments should upgrade immediately to version 6.23.0 or later to eliminate the risk.

Understanding Incus and Its Role in Modern Infrastructure

Incus is a next-generation system container and virtual machine manager that emerged as a community-driven fork of Linux Containers (LXD). It provides a user-friendly experience for managing both containers and VMs, drawing on advanced Linux kernel features such as namespaces and cgroups. Unlike Docker, which focuses on application packaging, Incus offers full system containers that behave like lightweight virtual machines. This makes it popular for local development, CI/CD pipelines, and multi-tenant cloud environments.

For Windows professionals, Incus typically runs inside Windows Subsystem for Linux (WSL) or on dedicated Linux servers. With the growing adoption of cross-platform container workflows, a vulnerability in a critical infrastructure tool like Incus can have ripple effects across mixed-OS landscapes. A poisoned image cache could compromise not only Linux hosts but also Windows hosts indirectly if shared container images are used in build processes or service deployments.

CVE-2026-33542: The Technical Breakdown

The vulnerability resides in how Incus handles image downloads from remote servers. When a new image is requested, Incus retrieves it, computes its cryptographic fingerprints to ensure integrity, and stores it in a local cache for future use. Under normal circumstances, Incus should validate a combined fingerprint—a concatenation of the image’s primary and instance-specific fingerprints—against the server’s published signature. This combined check prevents tampering at multiple stages of the download and storage pipeline.

CVE-2026-33542 reveals that Incus versions before 6.23.0 skipped this combined fingerprint verification in certain code paths. An attacker positioned between the Incus host and the image server—for example, through ARP spoofing, DNS poisoning, or a compromised network proxy—could intercept the download. By substituting the legitimate image with a malicious one that still matches the expected individual fingerprints, the attacker could trick Incus into accepting and caching the tainted image.

Once poisoned, the local image cache becomes a persistent threat. Any subsequent container or VM launched from that cached image will use the attacker’s payload. This supply chain style attack can persist through system reboots and image reuses, making it difficult to detect without manual inspection of the cache contents.

Severity and Exploitability

The vulnerability has been assigned a medium severity, indicating that while exploitation requires network-level access, the potential impact on confidentiality, integrity, and availability is significant. In environments where Incus images are pulled from public or shared repositories, the attack surface expands. A successful compromise could lead to:

  • Execution of arbitrary code inside new containers or VMs.
  • Privilege escalation if the container is run with elevated capabilities.
  • Data exfiltration from development or staging environments.
  • Lateral movement into other systems that mount volumes from the poisoned container.

No active exploits were publicly reported at the time of disclosure, but the nature of the vulnerability makes it a prime candidate for targeted attacks against organizations that heavily rely on Incus for their infrastructure.

The Fix: Incus 6.23.0 and Beyond

The Incus maintainers addressed the issue in release 6.23.0 by reintroducing the proper combined fingerprint validation logic. The patch ensures that both primary and instance fingerprints are verified atomically before the image is cached. As a result, any mismatch causes the download to fail immediately, preventing the cache from being populated with untrusted data.

Upgrading to Incus 6.23.0 is the only reliable remediation. The upgrade process varies by distribution but generally involves updating the package repository and installing the latest incus package. For systems configured to pull from stable release channels, a simple apt upgrade or snap refresh incus may suffice. It is worth verifying the installed version with incus version after the upgrade.

Incus’s built-in image expiry mechanisms do not retroactively cleanse poisoned caches. Administrators who suspect a prior compromise should manually delete suspicious images from the local cache (incus image list and incus image delete <fingerprint>) and repopulate the cache from trusted sources after updating.

Why Image Cache Poisoning Matters in the Container Era

Container image supply chains are a prime target for adversaries. Tools like Docker Hub and GitHub Container Registry have fortified their signing and scanning processes, yet local caching layers often remain overlooked. Incus’s vulnerability highlights a recurring pattern: signature verification must cover every link in the download chain, not just the initial fetch.

Missing combined fingerprint checks can appear in any tool that aggregates multiple integrity metadata. Similar vulnerabilities have surfaced in package managers (e.g., APT, DNF) over the years, where only partial signature checks were performed. The Incus fix serves as a reminder to audit all container orchestration tools for analogous flaws.

For Windows users leveraging Incus through WSL, the attack scenario changes slightly. The network path between WSL and external servers traverses the Windows host’s network stack. A compromised Windows machine could intercept WSL traffic and launch a man-in-the-middle attack against an unpatched Incus instance. Conversely, if the Windows host is the attacker’s initial entry point, an unpatched Incus inside WSL becomes a stepping stone for deeper infiltration.

Steps to Secure Your Incus Deployment

Beyond applying the 6.23.0 update, security-conscious teams can implement several layers of defense:

  1. Verify image sources – Always pull images from official, signed repositories. Use incus remote list to review configured remotes and remove untrusted ones.
  2. Network segmentation – Place Incus hosts in isolated network segments where man-in-the-middle attacks are harder to mount. Implement strict firewall rules limiting outbound connections to known image servers.
  3. Monitor cache integrity – Regularly compute and compare cached image fingerprints against published values using incus image info. Automate this for frequent image consumers.
  4. Use private registries – Host an internal image registry with authenticated access and your own signing keys. This reduces reliance on public infrastructure.
  5. Apply the principle of least privilege – Run containers with minimal capabilities, even during development. A poisoned image may still be contained if the runtime sandbox is tight.

The Bigger Picture for Windows Enthusiasts

Windows ecosystems increasingly rely on Linux-based containers, whether for cloud-native applications, DevOps pipelines, or data science workloads. Incus’s CVE-2026-33542 underscores that the security of these hybrid environments depends on prompt patching of all components—even those that seem peripheral at first glance.

Microsoft’s own container offerings, such as Windows Containers and Azure Kubernetes Service, have dedicated security teams that address similar vulnerabilities quickly. However, community-run tools like Incus depend on their user base to stay informed and act swiftly. The disclosure timeline—late March 2026—suggests the Incus community moved rapidly to publish the fix and alert downstream distributions.

For developers using Visual Studio Code’s Remote - Containers extension or building Windows applications that rely on Linux build agents, an unpatched Incus instance could silently compromise local workspaces. While the immediate attack requires network access, malicious actors could target shared office networks or public Wi-Fi at conferences to exploit unpatched systems.

What’s Next for Incus Security

The Incus project’s response to CVE-2026-33542 demonstrates a mature vulnerability management process. The maintainers’ quick turnaround and clear communication set a positive example for open-source container tools. Looking ahead, expect increased scrutiny on image handling code in Incus and similar projects. The community may also introduce additional defense-in-depth measures, such as mandatory TLS-encrypted image downloads and automated cache validity checks.

As container adoption continues to surge, so does the value of reliable supply chain security. CVE-2026-33542 may not be the last of its kind, but it provides a concrete lesson: signature verification must cover the full lifecycle of an image, from registry to local cache and onto the running instance.

Final Takeaway

CVE-2026-33542 is a textbook example of a subtle integrity breach hidden in caching mechanics. The missing combined fingerprint check allowed a malicious actor to slip poisoned images past Incus’s defenses and into long-term storage. The fix is a single version bump away, but the implications for unpatched environments remain severe.

If you manage any Incus instances—whether on bare-metal Linux servers, inside WSL, or as part of a CI/CD farm—verify your version today. Run incus version. If the output is lower than 6.23.0, schedule an immediate update. Clean your image cache, review remote sources, and tighten network controls. A few minutes of maintenance now can prevent months of incident response later.