Fluid Attacks Database

Description

Incus does not verify combined fingerprint when downloading images from simplestreams servers in github.com/lxc/incus Incus does not verify combined fingerprint when downloading images from simplestreams servers in github.com/lxc/incus

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	incus	=6.0.4-2 \|\| =6.0.4-2+deb13u1 \|\| =6.0.4-2+deb13u1~bpo12+1 \|\| =6.0.4-2+deb13u2 \|\| =6.0.4-2+deb13u2~bpo12+1 \|\| =6.0.4-2+deb13u3 \|\| =6.0.4-2+deb13u3~bpo12+1 \|\| =6.0.4-2+deb13u4 \|\| =6.0.4-2+deb13u4~bpo12+1 \|\| =6.0.4-2+deb13u5~bpo12+1 \|\| >=0 <6.0.4-2+deb13u5	6.0.4-2+deb13u5
debian 13	lxd	=5.0.2+git20231211.1364ae4-9 \|\| =5.0.2+git20231211.1364ae4-9+deb13u1 \|\| =5.0.2+git20231211.1364ae4-9+deb13u2 \|\| =5.0.2+git20231211.1364ae4-9+deb13u3 \|\| >=0 <5.0.2+git20231211.1364ae4-9+deb13u4	5.0.2+git20231211.1364ae4-9+deb13u4
debian 12	lxd	=5.0.2-5 \|\| =5.0.2-5+deb12u1 \|\| =5.0.2-5+deb12u2 \|\| =5.0.2-5+deb12u3 \|\| >=0 <5.0.2-5+deb12u4	5.0.2-5+deb12u4
debian 14	incus	=6.0.4-2 \|\| =6.0.4-3 \|\| =6.0.5-1 \|\| =6.0.5-2 \|\| =6.0.5-3 \|\| =6.0.5-4 \|\| =6.0.5-5 \|\| =6.0.5-6 \|\| =6.0.5-7 \|\| =6.0.5-8 \|\| =6.0.6-1 \|\| >=0 <6.0.6-2	6.0.6-2
go	github.com/lxc/incus/v6/client	>=0 <6.23.0	6.23.0
go	github.com/lxc/incus	-	-
go	github.com/lxc/incus/v6	>=0 <6.23.0	6.23.0

Aliases

1. CVE-2026-335422. NVD-2026-335423. OSV-DEBIAN-2026-335424. OSV-2026-335425. OSV-GO-2026-48826. GHSA-p8mm-23gg-jc9r7. GCVE-2026-335428. SECURITY-TRACKER-CVE-2026-335429. GHSA-p8mm-23gg-jc9r

References

1. https://github.com/lxc/incus/security/advisories/GHSA-p8mm-23gg-jc9r2. https://github.com/lxc/incus/commit/04e97418189f743411884afb81a3384e6218b8cd3. https://github.com/lxc/incus/commit/4a80447c52d6bc05d3322feeb5395f581e7a80e44. https://github.com/lxc/incus/commit/72688b7d9400c8f3c17ad0f93a7c1aeb896273075. https://github.com/lxc/incus/commit/ee26f72524ab60a4abcfd4e52667c52bb24364fc6. https://github.com/lxc/incus/releases/tag/v6.23.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.