Linux Distros Unpatched Vulnerability : CVE-2026-33743

🗓️ 27 Mar 2026 00:00:00Reported by TenableType

Incus prior to 6.23.0 vulnerable to storage bucket crash; may deny control plane service; fix in 6.23.0.

Reporter	Title	Published	Views	Family All 39
ATTACKERKB	CVE-2026-33743	26 Mar 202622:40	–	attackerkb
AlpineLinux	CVE-2026-33743	26 Mar 202622:40	–	alpinelinux
Circl	CVE-2026-33743	26 Mar 202622:08	–	circl
CNNVD	Incus 安全漏洞	26 Mar 202600:00	–	cnnvd
CVE	CVE-2026-33743	26 Mar 202622:40	–	cve
Cvelist	CVE-2026-33743 Incus vulnerable to denial of source through crafted bucket backup file	26 Mar 202622:40	–	cvelist
Debian	[BSA-129] Security Update for incus	30 Mar 202612:51	–	debian
Debian	[SECURITY] [DSA 6184-1] incus security update	29 Mar 202614:21	–	debian
Debian CVE	CVE-2026-33743	26 Mar 202622:40	–	debiancve
Tenable Nessus	Debian dsa-6184 : golang-github-lxc-incus-dev - security update	29 Mar 202600:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2026-33743
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(303971);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/29");

  script_cve_id("CVE-2026-33743");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-33743");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted
    storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the
    Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of
    service of the control plane API. This does not impact any running workload, existing containers and
    virtual machines will keep operating. Version 6.23.0 fixes the issue. (CVE-2026-33743)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-33743");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33743");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:26.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:incus");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10", "Host/OS/Ubuntu Linux-26.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "incus"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "incus"}
        ]
      }
    ]
  },
  "Ubuntu Linux-26.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "26.04",
        "pkgs": [
          {"reference": "incus"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

29 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.5

EPSS0.00385

SSVC