Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GHSA-47Q9-M4WW-924M
Vulnerability from github – Published: 2026-06-25 21:33 – Updated: 2026-06-25 21:33Description
The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.
An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.
This is reachable via two unauthenticated endpoints: - POST /api/v1/log/entries (createLogEntry) - POST /api/v1/log/entries/retrieve (searchLogQuery)
Both invoke V001Entry.Canonicalize() → fetchExternalEntities() → apk.Unmarshal(packageData), which performs the unbounded decompression.
Workarounds
There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/sigstore/rekor"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48702"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:33:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Description\n\nThe `Package.Unmarshal()` function in `pkg/types/alpine/apk.go` decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing `max_apk_metadata_size` check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.\n\nAn attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros \u2192 2GB decompressed). When submitted as spec.package.content in an Alpine `ProposedEntry`, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server\u0027s recover() middleware.\n\nThis is reachable via two unauthenticated endpoints:\n- POST /api/v1/log/entries (createLogEntry)\n- POST /api/v1/log/entries/retrieve (searchLogQuery)\n\nBoth invoke `V001Entry.Canonicalize()` \u2192 `fetchExternalEntities()` \u2192 `apk.Unmarshal(packageData)`, which performs the unbounded decompression.\n\n## Workarounds\n\nThere is no effective workaround. Setting `max_request_body_size` reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting `max_apk_metadata_size` has no effect on this vulnerability since the check is applied after decompression.",
"id": "GHSA-47q9-m4ww-924m",
"modified": "2026-06-25T21:33:36Z",
"published": "2026-06-25T21:33:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m"
},
{
"type": "PACKAGE",
"url": "https://github.com/sigstore/rekor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic"
}
RHSA-2026:25138
Vulnerability from csaf_redhat - Published: 2026-06-10 21:27 - Updated: 2026-07-19 22:44A flaw was found in pgx, a PostgreSQL driver and toolkit for Go. This SQL injection vulnerability can occur when using the non-default simple protocol, a dollar-quoted string literal in the SQL query, and when that string literal contains text interpreted as a placeholder with an attacker-controlled value. An attacker could potentially manipulate SQL queries, leading to a low impact on data integrity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:cosign-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:cosign-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:cosign-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in OpenTelemetry-Go (before schema package version 0.0.17). ParseFile in go.opentelemetry.io/otel/schema/v1.0 and v1.1 opens a schema file and passes it to Parse without closing it, leaking one file descriptor per successful call. Repeated parsing in a long-running process can exhaust the file descriptor limit and cause denial of service.
A flaw was found in Rekor. The `Package.Unmarshal()` function, which processes Alpine Package Keep (APK) files, decompresses gzip streams without limiting the total decompressed size. A remote attacker can exploit this by crafting a malicious APK file with a high compression ratio, causing the server to consume excessive memory. This leads to a Denial of Service (DoS) through an out-of-memory (OOM) error, and can be triggered via unauthenticated API endpoints.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:cosign-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:cosign-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:cosign-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ncosign:\n * cosign-3.1.1-0.1.hum1 (aarch64, x86_64)\n * cosign-3.1.1-0.1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25138",
"url": "https://access.redhat.com/errata/RHSA-2026:25138"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-41889",
"url": "https://access.redhat.com/security/cve/CVE-2026-41889"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-45287",
"url": "https://access.redhat.com/security/cve/CVE-2026-45287"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-48702",
"url": "https://access.redhat.com/security/cve/CVE-2026-48702"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25138.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-07-19T22:44:44+00:00",
"generator": {
"date": "2026-07-19T22:44:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.7"
}
},
"id": "RHSA-2026:25138",
"initial_release_date": "2026-06-10T21:27:43+00:00",
"revision_history": [
{
"date": "2026-06-10T21:27:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-18T05:32:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-19T22:44:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "cosign-main@aarch64",
"product": {
"name": "cosign-main@aarch64",
"product_id": "cosign-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cosign@3.1.1-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cosign-main@src",
"product": {
"name": "cosign-main@src",
"product_id": "cosign-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cosign@3.1.1-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cosign-main@x86_64",
"product": {
"name": "cosign-main@x86_64",
"product_id": "cosign-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cosign@3.1.1-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cosign-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:cosign-main@aarch64"
},
"product_reference": "cosign-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cosign-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:cosign-main@src"
},
"product_reference": "cosign-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cosign-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:cosign-main@x86_64"
},
"product_reference": "cosign-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-41889",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2026-05-08T17:01:09.435496+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2468307"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in pgx, a PostgreSQL driver and toolkit for Go. This SQL injection vulnerability can occur when using the non-default simple protocol, a dollar-quoted string literal in the SQL query, and when that string literal contains text interpreted as a placeholder with an attacker-controlled value. An attacker could potentially manipulate SQL queries, leading to a low impact on data integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/jackc/pgx: golang: pgx: SQL injection via specific SQL query conditions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has rated this flaw as Moderate because the SQL injection vulnerability in pgx can only be triggered when the non-default simple protocol is used in conjunction with specific query constructions involving PostgreSQL dollar-quoted string literals. Successful exploitation requires multiple uncommon preconditions, including attacker control of placeholder values within affected queries. As the issue is limited to particular application usage patterns and does not affect default pgx configurations, the overall risk is reduced despite the potential for query manipulation in vulnerable applications.The strongest argument for a Moderate rating is that this is not a generic SQL injection affecting all pgx users; it is a narrowly scoped flaw requiring a non-default mode and specific application behavior",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-41889"
},
{
"category": "external",
"summary": "RHBZ#2468307",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468307"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-41889",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41889"
},
{
"category": "external",
"summary": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da",
"url": "https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da"
},
{
"category": "external",
"summary": "https://github.com/jackc/pgx/releases/tag/v5.9.2",
"url": "https://github.com/jackc/pgx/releases/tag/v5.9.2"
},
{
"category": "external",
"summary": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx",
"url": "https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx"
}
],
"release_date": "2026-05-08T15:53:00.251000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T21:27:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25138"
},
{
"category": "workaround",
"details": "Avoid using the non-default simple protocol in applications that use the pgx PostgreSQL driver for Go. The vulnerability is contingent on this non-default protocol and specific SQL query constructs. Configuring applications to use the default extended protocol prevents this issue. If the simple protocol is necessary, ensure that dollar-quoted string literals do not contain attacker-controlled placeholder values.",
"product_ids": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/jackc/pgx: golang: pgx: SQL injection via specific SQL query conditions"
},
{
"cve": "CVE-2026-45287",
"cwe": {
"id": "CWE-772",
"name": "Missing Release of Resource after Effective Lifetime"
},
"discovery_date": "2026-06-04T16:01:14.155335+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2484831"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in OpenTelemetry-Go (before schema package version 0.0.17). ParseFile in go.opentelemetry.io/otel/schema/v1.0 and v1.1 opens a schema file and passes it to Parse without closing it, leaking one file descriptor per successful call. Repeated parsing in a long-running process can exhaust the file descriptor limit and cause denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenTelemetry-Go schema parsing is vulnerable to file descriptor leak in ParseFile for otel/schema v1.0 and v1.1. An attacker who can cause repeated schema parsing against an attacker-influenced file path in a long-running Go process may exhaust file descriptors and crash or stall the service. Exposure is limited to applications that expose schema parsing to untrusted paths; many Red Hat Go services bundle the library transitively without hitting this code path.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-45287"
},
{
"category": "external",
"summary": "RHBZ#2484831",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484831"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-45287",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45287"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-45287",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45287"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684",
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d",
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d"
},
{
"category": "external",
"summary": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
}
],
"release_date": "2026-06-04T14:45:54.522000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T21:27:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25138"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "go.opentelemetry.io/otel: go.opentelemetry.io/otel/schema/v1.0: go.opentelemetry.io/otel/schema/v1.1: OpenTelemetry-Go: Denial of Service due to file descriptor leak"
},
{
"cve": "CVE-2026-48702",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-06-25T21:33:36+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2499685"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Rekor. The `Package.Unmarshal()` function, which processes Alpine Package Keep (APK) files, decompresses gzip streams without limiting the total decompressed size. A remote attacker can exploit this by crafting a malicious APK file with a high compression ratio, causing the server to consume excessive memory. This leads to a Denial of Service (DoS) through an out-of-memory (OOM) error, and can be triggered via unauthenticated API endpoints.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/sigstore/rekor: Rekor: Denial of Service due to unbounded gzip decompression in Alpine APK parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in Rekor, a transparency log for supply chain security. The Alpine APK parsing logic decompresses gzip members without bounding total decompressed size, allowing a decompression bomb to cause out-of-memory conditions via unauthenticated API endpoints. This vulnerability is server-side only, affecting the Rekor server\u0027s APK entry processing. Products that import github.com/sigstore/rekor as a Go client library are not affected, as the vulnerable code path (Package.Unmarshal in pkg/types/alpine/apk.go) is only reachable through the Rekor server\u0027s HTTP API handlers.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-48702"
},
{
"category": "external",
"summary": "RHBZ#2499685",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2499685"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-48702",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48702"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-48702",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48702"
},
{
"category": "external",
"summary": "https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m",
"url": "https://github.com/sigstore/rekor/security/advisories/GHSA-47q9-m4ww-924m"
}
],
"release_date": "2026-06-25T21:33:36+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T21:27:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25138"
},
{
"category": "workaround",
"details": "There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.\n\nUpgrade to Rekor 1.5.2 or later.",
"product_ids": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:cosign-main@aarch64",
"Red Hat Hardened Images:cosign-main@src",
"Red Hat Hardened Images:cosign-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/sigstore/rekor: Rekor: Denial of Service due to unbounded gzip decompression in Alpine APK parsing"
}
]
}
RHSA-2026:35111
Vulnerability from csaf_redhat - Published: 2026-07-02 23:34 - Updated: 2026-07-19 12:03A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in Billy, an interface filesystem abstraction for Go. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by providing crafted or malformed input. The issue arises from insufficient validation and missing safety mechanisms when processing untrusted repository data and filesystem structures, leading to panics, infinite loops, uncontrolled recursion, or excessive resource consumption.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in containerd, an open-source container runtime. Containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This vulnerability allows a crafted container image to bypass the Kubernetes `runAsNonRoot` restriction, potentially leading to privilege escalation where the container runs as the root user (UID 0). This can cause unexpected behavior in environments designed to enforce non-root user execution.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in containerd, an open-source container runtime. A remote attacker could exploit this vulnerability by providing a maliciously crafted image. When a container is created from this image, it leads to uncontrolled resource consumption and memory exhaustion, causing the containerd process to terminate. This results in a Denial of Service (DoS) condition, making the container runtime API unavailable and disrupting clients like Docker Engine or Kubernetes.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in containerd, an open-source container runtime. The CRI (Container Runtime Interface) checkpoint import process fails to validate image references within a checkpoint image's configuration. An attacker with permissions to create pods can exploit this by using a specially crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag. This action poisons the node's local image cache, leading to other pods unknowingly executing the attacker's malicious image instead of the legitimate one, which can result in arbitrary code execution under the victim pod's identity.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Hardened Images:trivy-main@aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Red Hat Hardened Images:trivy-main@x86_64 | — |
Vendor Fix
fix
Workaround
|
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ntrivy:\n * trivy-0.72.0-0.1.hum1 (aarch64, x86_64)\n * trivy-0.72.0-0.1.hum1.src (src)\n\nSecurity Fix(es):\n\ntrivy:\n * CVE-2026-46680\n * CVE-2026-47262\n * CVE-2026-53488",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:35111",
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-46680",
"url": "https://access.redhat.com/security/cve/CVE-2026-46680"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-47262",
"url": "https://access.redhat.com/security/cve/CVE-2026-47262"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-53488",
"url": "https://access.redhat.com/security/cve/CVE-2026-53488"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-50195",
"url": "https://access.redhat.com/security/cve/CVE-2026-50195"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32285",
"url": "https://access.redhat.com/security/cve/CVE-2026-32285"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-44740",
"url": "https://access.redhat.com/security/cve/CVE-2026-44740"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_35111.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update",
"tracking": {
"current_release_date": "2026-07-19T12:03:25+00:00",
"generator": {
"date": "2026-07-19T12:03:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.3.7"
}
},
"id": "RHSA-2026:35111",
"initial_release_date": "2026-07-02T23:34:03+00:00",
"revision_history": [
{
"date": "2026-07-02T23:34:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-07-18T05:32:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-07-19T12:03:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-main@aarch64",
"product": {
"name": "trivy-main@aarch64",
"product_id": "trivy-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/trivy@0.72.0-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-main@src",
"product": {
"name": "trivy-main@src",
"product_id": "trivy-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/trivy@0.72.0-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-main@x86_64",
"product": {
"name": "trivy-main@x86_64",
"product_id": "trivy-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/trivy@0.72.0-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:trivy-main@aarch64"
},
"product_reference": "trivy-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:trivy-main@src"
},
"product_reference": "trivy-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:trivy-main@x86_64"
},
"product_reference": "trivy-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32285",
"cwe": {
"id": "CWE-1285",
"name": "Improper Validation of Specified Index, Position, or Offset in Input"
},
"discovery_date": "2026-03-26T20:01:54.925687+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451846"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in github.com/buger/jsonparser. The Delete function, when processing malformed JSON input, fails to properly validate offsets. This vulnerability can lead to a negative slice index and a runtime panic, allowing a remote attacker to cause a denial of service (DoS) by providing specially crafted JSON data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32285"
},
{
"category": "external",
"summary": "RHBZ#2451846",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451846"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32285",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32285"
},
{
"category": "external",
"summary": "https://github.com/buger/jsonparser/issues/275",
"url": "https://github.com/buger/jsonparser/issues/275"
},
{
"category": "external",
"summary": "https://github.com/golang/vulndb/issues/4514",
"url": "https://github.com/golang/vulndb/issues/4514"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2026-4514",
"url": "https://pkg.go.dev/vuln/GO-2026-4514"
}
],
"release_date": "2026-03-26T19:40:51.837000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/buger/jsonparser: github.com/buger/jsonparser: Denial of Service via malformed JSON input"
},
{
"cve": "CVE-2026-44740",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"discovery_date": "2026-06-01T17:01:53.685793+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2483894"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Billy, an interface filesystem abstraction for Go. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by providing crafted or malformed input. The issue arises from insufficient validation and missing safety mechanisms when processing untrusted repository data and filesystem structures, leading to panics, infinite loops, uncontrolled recursion, or excessive resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/go-git/go-billy: Billy: Denial of Service via crafted input due to insufficient validation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is rated as an Important severity issue. The `go-billy` library, a Go filesystem abstraction, is vulnerable to a denial of service when processing crafted or malformed input, such as untrusted repository data or filesystem structures. Insufficient validation and missing safety mechanisms can lead to panics, infinite loops, or excessive resource consumption, potentially impacting the availability of applications that rely on this library.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-44740"
},
{
"category": "external",
"summary": "RHBZ#2483894",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2483894"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-44740",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-44740"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-44740",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44740"
},
{
"category": "external",
"summary": "https://github.com/go-git/go-billy/releases/tag/v5.9.0",
"url": "https://github.com/go-git/go-billy/releases/tag/v5.9.0"
},
{
"category": "external",
"summary": "https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1",
"url": "https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1"
},
{
"category": "external",
"summary": "https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6",
"url": "https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6"
}
],
"release_date": "2026-06-01T16:04:50.358000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "To mitigate the issue, we suggest upgrading to versions 5.9.0+ or 6.0.0-alpha.1+",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/go-git/go-billy: Billy: Denial of Service via crafted input due to insufficient validation"
},
{
"cve": "CVE-2026-46680",
"cwe": {
"id": "CWE-681",
"name": "Incorrect Conversion between Numeric Types"
},
"discovery_date": "2026-07-01T18:02:18.277866+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2496104"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in containerd, an open-source container runtime. Containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. This vulnerability allows a crafted container image to bypass the Kubernetes `runAsNonRoot` restriction, potentially leading to privilege escalation where the container runs as the root user (UID 0). This can cause unexpected behavior in environments designed to enforce non-root user execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/containerd/containerd: containerd: Privilege escalation via incorrect user ID handling",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenShift Container Platform and its layered products include the containerd Go library as a build-time dependency for various components. These products do not use containerd as a container runtime; CRI-O is used instead. The vulnerable code path responsible for parsing User directives during container runtime spec generation is not exercised. Therefore, although the containerd library is present in shipped binaries, the vulnerability is not exploitable in the context of Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-46680"
},
{
"category": "external",
"summary": "RHBZ#2496104",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496104"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-46680",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46680"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-46680",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46680"
},
{
"category": "external",
"summary": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w"
}
],
"release_date": "2026-07-01T17:40:25.499000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "Enforce a specific numeric runAsUser in the Kubernetes Pod securityContext, which overrides the User directive in the container image and prevents the bypass. Additionally, restrict access to push container images to trusted users only, and validate image provenance before deployment.",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/containerd/containerd: containerd: Privilege escalation via incorrect user ID handling"
},
{
"cve": "CVE-2026-47262",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-07-01T19:01:12.673142+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2496126"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in containerd, an open-source container runtime. A remote attacker could exploit this vulnerability by providing a maliciously crafted image. When a container is created from this image, it leads to uncontrolled resource consumption and memory exhaustion, causing the containerd process to terminate. This results in a Denial of Service (DoS) condition, making the container runtime API unavailable and disrupting clients like Docker Engine or Kubernetes.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/containerd/containerd: containerd: Denial of Service via maliciously crafted image leading to unbounded group parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat\u0027s container platform uses CRI-O as its container runtime interface, not containerd. While containerd libraries are bundled in some images for OCI image operations (e.g., estargz support via skopeo), the containerd daemon and its CRI plugin (where the vulnerable group-parsing code path exists) are not executed. Therefore, this vulnerability is not exploitable in Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-47262"
},
{
"category": "external",
"summary": "RHBZ#2496126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496126"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-47262",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47262"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47262",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47262"
},
{
"category": "external",
"summary": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq"
}
],
"release_date": "2026-07-01T17:48:43.205000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "No mitigation is needed for Red Hat products. The vulnerable code path in containerd\u0027s CRI plugin group-parsing logic is not executed because Red Hat uses CRI-O as the container runtime. Products that bundle containerd as a library dependency for OCI image operations are not affected.",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/containerd/containerd: containerd: Denial of Service via maliciously crafted image leading to unbounded group parsing"
},
{
"cve": "CVE-2026-50195",
"cwe": {
"id": "CWE-1289",
"name": "Improper Validation of Unsafe Equivalence in Input"
},
"discovery_date": "2026-07-01T19:01:23.888854+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2496128"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in containerd, an open-source container runtime. The CRI (Container Runtime Interface) checkpoint import process fails to validate image references within a checkpoint image\u0027s configuration. An attacker with permissions to create pods can exploit this by using a specially crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag. This action poisons the node\u0027s local image cache, leading to other pods unknowingly executing the attacker\u0027s malicious image instead of the legitimate one, which can result in arbitrary code execution under the victim pod\u0027s identity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/containerd/containerd: containerd: Arbitrary code execution via CRI checkpoint image tag poisoning",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat products include the containerd Go module (v1.x) as a library dependency. The vulnerable CRI checkpoint import functionality was introduced in containerd v2.1.0 and is not present in the v1 module shipped in Red Hat products. Additionally, Red Hat products use CRI-O as the container runtime, not containerd, so the CRI checkpoint import code path is not exercised.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-50195"
},
{
"category": "external",
"summary": "RHBZ#2496128",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496128"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-50195",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-50195"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-50195",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50195"
},
{
"category": "external",
"summary": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574"
}
],
"release_date": "2026-07-01T17:50:53.072000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "No mitigation is needed as the vulnerable code is not present in the containerd versions shipped in Red Hat products.",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "github.com/containerd/containerd: containerd: Arbitrary code execution via CRI checkpoint image tag poisoning"
},
{
"cve": "CVE-2026-53488",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-07-01T02:01:09.589815+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2495815"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface (CRI) plugin, which manages container operations, fails to validate labels propagated from an image configuration to a container. This oversight could enable an attacker to execute arbitrary commands on the host system through a plugin that processes these unvalidated labels. The primary impact is host-root command execution, allowing unauthorized control over the underlying system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw was found in containerd where the CRI plugin propagates labels from an image configuration (LABEL instruction in a Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host via a plugin that consumes container labels for operations, such as the restart-monitor binary:// logger. An attacker who can cause a crafted container image to be pulled and run can achieve host-level code execution.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-53488"
},
{
"category": "external",
"summary": "RHBZ#2495815",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2495815"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-53488",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-53488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-53488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53488"
},
{
"category": "external",
"summary": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"
}
],
"release_date": "2026-07-01T00:11:20.610000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-07-02T23:34:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:35111"
},
{
"category": "workaround",
"details": "Restrict container image pulls to trusted registries using admission policies or image signature verification. Where containerd is used as the container runtime, disable or restrict the binary:// logger URI scheme in the containerd configuration to prevent the label-to-logger attack path.",
"product_ids": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:trivy-main@aarch64",
"Red Hat Hardened Images:trivy-main@src",
"Red Hat Hardened Images:trivy-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "github.com/containerd/containerd: containerd: Host-root command execution via unvalidated image config labels in CRI plugin"
}
]
}