Vulnerability-Lookup

OPENSUSE-SU-2026:11075-1

Vulnerability from csaf_opensuse - Published: 2026-06-22 00:00 - Updated: 2026-06-22 00:00

Summary

docker-stable-24.0.9_ce-18.1 on GA media

Severity

Moderate

Notes

Title of the patch: docker-stable-24.0.9_ce-18.1 on GA media

Description of the patch: These are all security issues fixed in the docker-stable-24.0.9_ce-18.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-11075

CVE-2026-33186

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-33747

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-33748

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-33814

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-33997

8.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-34040

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-39821

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2026-41567

7.2 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64	—	Vendor Fix

Threats

Impact important

References

29 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-33186/	self
https://www.suse.com/security/cve/CVE-2026-33747/	self
https://www.suse.com/security/cve/CVE-2026-33748/	self
https://www.suse.com/security/cve/CVE-2026-33814/	self
https://www.suse.com/security/cve/CVE-2026-33997/	self
https://www.suse.com/security/cve/CVE-2026-34040/	self
https://www.suse.com/security/cve/CVE-2026-39821/	self
https://www.suse.com/security/cve/CVE-2026-41567/	self
https://www.suse.com/security/cve/CVE-2026-33186	external
https://bugzilla.suse.com/1260085	external
https://bugzilla.suse.com/1268676	external
https://www.suse.com/security/cve/CVE-2026-33747	external
https://bugzilla.suse.com/1260954	external
https://www.suse.com/security/cve/CVE-2026-33748	external
https://bugzilla.suse.com/1261046	external
https://www.suse.com/security/cve/CVE-2026-33814	external
https://bugzilla.suse.com/1264506	external
https://bugzilla.suse.com/1268758	external
https://www.suse.com/security/cve/CVE-2026-33997	external
https://bugzilla.suse.com/1265907	external
https://www.suse.com/security/cve/CVE-2026-34040	external
https://bugzilla.suse.com/1261378	external
https://bugzilla.suse.com/1265929	external
https://www.suse.com/security/cve/CVE-2026-39821	external
https://bugzilla.suse.com/1266474	external
https://www.suse.com/security/cve/CVE-2026-41567	external
https://bugzilla.suse.com/1267827	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "docker-stable-24.0.9_ce-18.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the docker-stable-24.0.9_ce-18.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-11075",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11075-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33186 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33186/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33747 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33747/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33748 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33748/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33814 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33814/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33997 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33997/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34040 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34040/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-39821 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-39821/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-41567 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-41567/"
      }
    ],
    "title": "docker-stable-24.0.9_ce-18.1 on GA media",
    "tracking": {
      "current_release_date": "2026-06-22T00:00:00Z",
      "generator": {
        "date": "2026-06-22T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:11075-1",
      "initial_release_date": "2026-06-22T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-06-22T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "docker-stable-24.0.9_ce-18.1.aarch64",
                "product": {
                  "name": "docker-stable-24.0.9_ce-18.1.aarch64",
                  "product_id": "docker-stable-24.0.9_ce-18.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
                "product": {
                  "name": "docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
                  "product_id": "docker-stable-bash-completion-24.0.9_ce-18.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-buildx-0.25.0-18.1.aarch64",
                "product": {
                  "name": "docker-stable-buildx-0.25.0-18.1.aarch64",
                  "product_id": "docker-stable-buildx-0.25.0-18.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
                "product": {
                  "name": "docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
                  "product_id": "docker-stable-fish-completion-24.0.9_ce-18.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
                "product": {
                  "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
                  "product_id": "docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
                "product": {
                  "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
                  "product_id": "docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "docker-stable-24.0.9_ce-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-24.0.9_ce-18.1.ppc64le",
                  "product_id": "docker-stable-24.0.9_ce-18.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
                  "product_id": "docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-buildx-0.25.0-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-buildx-0.25.0-18.1.ppc64le",
                  "product_id": "docker-stable-buildx-0.25.0-18.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
                  "product_id": "docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
                  "product_id": "docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
                "product": {
                  "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
                  "product_id": "docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "docker-stable-24.0.9_ce-18.1.s390x",
                "product": {
                  "name": "docker-stable-24.0.9_ce-18.1.s390x",
                  "product_id": "docker-stable-24.0.9_ce-18.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
                "product": {
                  "name": "docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
                  "product_id": "docker-stable-bash-completion-24.0.9_ce-18.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-buildx-0.25.0-18.1.s390x",
                "product": {
                  "name": "docker-stable-buildx-0.25.0-18.1.s390x",
                  "product_id": "docker-stable-buildx-0.25.0-18.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
                "product": {
                  "name": "docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
                  "product_id": "docker-stable-fish-completion-24.0.9_ce-18.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
                "product": {
                  "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
                  "product_id": "docker-stable-rootless-extras-24.0.9_ce-18.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
                "product": {
                  "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
                  "product_id": "docker-stable-zsh-completion-24.0.9_ce-18.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "docker-stable-24.0.9_ce-18.1.x86_64",
                "product": {
                  "name": "docker-stable-24.0.9_ce-18.1.x86_64",
                  "product_id": "docker-stable-24.0.9_ce-18.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
                "product": {
                  "name": "docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
                  "product_id": "docker-stable-bash-completion-24.0.9_ce-18.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-buildx-0.25.0-18.1.x86_64",
                "product": {
                  "name": "docker-stable-buildx-0.25.0-18.1.x86_64",
                  "product_id": "docker-stable-buildx-0.25.0-18.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
                "product": {
                  "name": "docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
                  "product_id": "docker-stable-fish-completion-24.0.9_ce-18.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
                "product": {
                  "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
                  "product_id": "docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64",
                "product": {
                  "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64",
                  "product_id": "docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-24.0.9_ce-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64"
        },
        "product_reference": "docker-stable-24.0.9_ce-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-24.0.9_ce-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le"
        },
        "product_reference": "docker-stable-24.0.9_ce-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-24.0.9_ce-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x"
        },
        "product_reference": "docker-stable-24.0.9_ce-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-24.0.9_ce-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64"
        },
        "product_reference": "docker-stable-24.0.9_ce-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-bash-completion-24.0.9_ce-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64"
        },
        "product_reference": "docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le"
        },
        "product_reference": "docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-bash-completion-24.0.9_ce-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x"
        },
        "product_reference": "docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-bash-completion-24.0.9_ce-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64"
        },
        "product_reference": "docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-buildx-0.25.0-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64"
        },
        "product_reference": "docker-stable-buildx-0.25.0-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-buildx-0.25.0-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le"
        },
        "product_reference": "docker-stable-buildx-0.25.0-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-buildx-0.25.0-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x"
        },
        "product_reference": "docker-stable-buildx-0.25.0-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-buildx-0.25.0-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64"
        },
        "product_reference": "docker-stable-buildx-0.25.0-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-fish-completion-24.0.9_ce-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64"
        },
        "product_reference": "docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le"
        },
        "product_reference": "docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-fish-completion-24.0.9_ce-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x"
        },
        "product_reference": "docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-fish-completion-24.0.9_ce-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64"
        },
        "product_reference": "docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64"
        },
        "product_reference": "docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le"
        },
        "product_reference": "docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x"
        },
        "product_reference": "docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64"
        },
        "product_reference": "docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64"
        },
        "product_reference": "docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le"
        },
        "product_reference": "docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x"
        },
        "product_reference": "docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        },
        "product_reference": "docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33186",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33186"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33186",
          "url": "https://www.suse.com/security/cve/CVE-2026-33186"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260085 for CVE-2026-33186",
          "url": "https://bugzilla.suse.com/1260085"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268676 for CVE-2026-33186",
          "url": "https://bugzilla.suse.com/1268676"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33186"
    },
    {
      "cve": "CVE-2026-33747",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33747"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33747",
          "url": "https://www.suse.com/security/cve/CVE-2026-33747"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260954 for CVE-2026-33747",
          "url": "https://bugzilla.suse.com/1260954"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33747"
    },
    {
      "cve": "CVE-2026-33748",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33748"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33748",
          "url": "https://www.suse.com/security/cve/CVE-2026-33748"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261046 for CVE-2026-33748",
          "url": "https://bugzilla.suse.com/1261046"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33748"
    },
    {
      "cve": "CVE-2026-33814",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33814"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33814",
          "url": "https://www.suse.com/security/cve/CVE-2026-33814"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264506 for CVE-2026-33814",
          "url": "https://bugzilla.suse.com/1264506"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1268758 for CVE-2026-33814",
          "url": "https://bugzilla.suse.com/1268758"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33814"
    },
    {
      "cve": "CVE-2026-33997",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33997"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon\u0027s privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33997",
          "url": "https://www.suse.com/security/cve/CVE-2026-33997"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265907 for CVE-2026-33997",
          "url": "https://bugzilla.suse.com/1265907"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-33997"
    },
    {
      "cve": "CVE-2026-34040",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34040"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34040",
          "url": "https://www.suse.com/security/cve/CVE-2026-34040"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261378 for CVE-2026-34040",
          "url": "https://bugzilla.suse.com/1261378"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1265929 for CVE-2026-34040",
          "url": "https://bugzilla.suse.com/1265929"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-34040"
    },
    {
      "cve": "CVE-2026-39821",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-39821"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\".",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-39821",
          "url": "https://www.suse.com/security/cve/CVE-2026-39821"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1266474 for CVE-2026-39821",
          "url": "https://bugzilla.suse.com/1266474"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-39821"
    },
    {
      "cve": "CVE-2026-41567",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-41567"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container\u0027s filesystem rather than the host\u0027s due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
          "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-41567",
          "url": "https://www.suse.com/security/cve/CVE-2026-41567"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1267827 for CVE-2026-41567",
          "url": "https://bugzilla.suse.com/1267827"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-bash-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-buildx-0.25.0-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-fish-completion-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-rootless-extras-24.0.9_ce-18.1.x86_64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.aarch64",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.ppc64le",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.s390x",
            "openSUSE Tumbleweed:docker-stable-zsh-completion-24.0.9_ce-18.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-06-22T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-41567"
    }
  ]
}

CVE-2026-33186 (GCVE-0-2026-33186)

Vulnerability from cvelistv5 – Published: 2026-03-20 22:23 – Updated: 2026-03-24 18:09

Title

gRPC-Go has an authorization bypass via missing leading slash in :path

Summary

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-285 - Improper Authorization

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/grpc/grpc-go/security/advisori…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
grpc	grpc-go	Affected: < 1.79.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33186",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T18:08:38.989284Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-24T18:09:13.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grpc-go",
          "vendor": "grpc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.79.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, \"deny\" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback \"allow\" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific \"deny\" rules for canonical paths but allows other requests by default (a fallback \"allow\" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T22:23:32.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3"
        }
      ],
      "source": {
        "advisory": "GHSA-p77j-4mvh-x3m3",
        "discovery": "UNKNOWN"
      },
      "title": "gRPC-Go has an authorization bypass via missing leading slash in :path"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33186",
    "datePublished": "2026-03-20T22:23:32.147Z",
    "dateReserved": "2026-03-17T22:16:36.720Z",
    "dateUpdated": "2026-03-24T18:09:13.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33747 (GCVE-0-2026-33747)

Vulnerability from cvelistv5 – Published: 2026-03-27 00:49 – Updated: 2026-03-27 19:59

Title

BuildKit vulnerable to malicious frontend causing file escape outside of storage root

Summary

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected.

Severity

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/buildkit/security/advisor…	x_refsource_CONFIRM
https://github.com/moby/buildkit/releases/tag/v0.28.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	buildkit	Affected: < 0.28.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33747",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T13:25:53.698360Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T19:59:06.907Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "buildkit",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.28.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, when using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. The issue has been fixed in v0.28.1. The vulnerability requires using an untrusted BuildKit frontend set with `#syntax` or `--build-arg BUILDKIT_SYNTAX`. Using these options with a well-known frontend image like `docker/dockerfile` is not affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T00:49:06.165Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4c29-8rgm-jvjj"
        },
        {
          "name": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
        }
      ],
      "source": {
        "advisory": "GHSA-4c29-8rgm-jvjj",
        "discovery": "UNKNOWN"
      },
      "title": "BuildKit vulnerable to malicious frontend causing file escape outside of storage root"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33747",
    "datePublished": "2026-03-27T00:49:06.165Z",
    "dateReserved": "2026-03-23T18:30:14.124Z",
    "dateUpdated": "2026-03-27T19:59:06.907Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33748 (GCVE-0-2026-33748)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:00 – Updated: 2026-03-27 19:58

Title

BuildKit Git URL subdir component can cause access to restricted files

Summary

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink.

Severity

8.2 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/moby/buildkit/security/advisor…	x_refsource_CONFIRM
https://docs.docker.com/build/concepts/context/#u…	x_refsource_MISC
https://github.com/moby/buildkit/releases/tag/v0.28.1	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	buildkit	Affected: < 0.28.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33748",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T18:55:58.658220Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T19:58:28.764Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "buildkit",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.28.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Prior to version 0.28.1, insufficient validation of Git URL fragment subdir components may allow access to files outside the checked-out Git repository root. Possible access is limited to files on the same mounted filesystem. The issue has been fixed in version v0.28.1 The issue affects only builds that use Git URLs with a subpath component. As a workaround, avoid building Dockerfiles from untrusted sources or using the subdir component from an untrusted Git repository where the subdir component could point to a symlink."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:00:21.200Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/buildkit/security/advisories/GHSA-4vrq-3vrq-g6gg"
        },
        {
          "name": "https://docs.docker.com/build/concepts/context/#url-fragments",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.docker.com/build/concepts/context/#url-fragments"
        },
        {
          "name": "https://github.com/moby/buildkit/releases/tag/v0.28.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/buildkit/releases/tag/v0.28.1"
        }
      ],
      "source": {
        "advisory": "GHSA-4vrq-3vrq-g6gg",
        "discovery": "UNKNOWN"
      },
      "title": "BuildKit Git URL subdir component can cause access to restricted files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33748",
    "datePublished": "2026-03-27T14:00:21.200Z",
    "dateReserved": "2026-03-23T18:30:14.124Z",
    "dateUpdated": "2026-03-27T19:58:28.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33814 (GCVE-0-2026-33814)

Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-05-08 18:01

Title

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

Summary

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

References

5 references

URL	Tags
https://go.dev/cl/761581
https://go.dev/cl/761640
https://go.dev/issue/78476
https://groups.google.com/g/golang-announce/c/qcC…
https://pkg.go.dev/vuln/GO-2026-4918

Impacted products

2 products

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/http2	Affected: 0 , < 0.53.0 (semver)
Go standard library	net/http	Affected: 0 , < 1.25.10 (semver) Affected: 1.26.0-0 , < 1.26.3 (semver)

Credits

Marwan Atia (marwansamir688@gmail.com)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-33814",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T18:00:53.951676Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T18:01:02.989Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "clientConnReadLoop.processSettingsNoWrite"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "Transport.RoundTripOpt"
            },
            {
              "name": "clientConnPool.GetClientConn"
            },
            {
              "name": "noDialClientConnPool.GetClientConn"
            },
            {
              "name": "noDialH2RoundTripper.NewClientConn"
            },
            {
              "name": "noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "unencryptedTransport.RoundTrip"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.53.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "http2clientConnReadLoop.processSettingsNoWrite"
            },
            {
              "name": "Client.CloseIdleConnections"
            },
            {
              "name": "Client.Do"
            },
            {
              "name": "Client.Get"
            },
            {
              "name": "Client.Head"
            },
            {
              "name": "Client.Post"
            },
            {
              "name": "Client.PostForm"
            },
            {
              "name": "ClientConn.Close"
            },
            {
              "name": "ClientConn.RoundTrip"
            },
            {
              "name": "Get"
            },
            {
              "name": "Head"
            },
            {
              "name": "Post"
            },
            {
              "name": "PostForm"
            },
            {
              "name": "Transport.CloseIdleConnections"
            },
            {
              "name": "Transport.NewClientConn"
            },
            {
              "name": "Transport.RoundTrip"
            },
            {
              "name": "http1ClientConn.Close"
            },
            {
              "name": "http1ClientConn.RoundTrip"
            },
            {
              "name": "http2Transport.NewClientConn"
            },
            {
              "name": "http2Transport.RoundTrip"
            },
            {
              "name": "http2Transport.RoundTripOpt"
            },
            {
              "name": "http2clientConnPool.GetClientConn"
            },
            {
              "name": "http2noDialClientConnPool.GetClientConn"
            },
            {
              "name": "http2noDialH2RoundTripper.NewClientConn"
            },
            {
              "name": "http2noDialH2RoundTripper.RoundTrip"
            },
            {
              "name": "http2unencryptedTransport.RoundTrip"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.3",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marwan Atia (marwansamir688@gmail.com)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T19:41:17.631Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/761581"
        },
        {
          "url": "https://go.dev/cl/761640"
        },
        {
          "url": "https://go.dev/issue/78476"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4918"
        }
      ],
      "title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-33814",
    "datePublished": "2026-05-07T19:41:17.631Z",
    "dateReserved": "2026-03-23T20:35:32.814Z",
    "dateUpdated": "2026-05-08T18:01:02.989Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33997 (GCVE-0-2026-33997)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:36 – Updated: 2026-04-02 03:55

Title

Moby: Off-by-one error in plugin privilege validation

Summary

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.

Severity

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-193 - Off-by-one Error

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/moby/security/advisories/…	x_refsource_CONFIRM
https://github.com/moby/moby/releases/tag/docker-…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	moby	Affected: < 29.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33997",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T03:55:57.801Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 29.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon\u0027s privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-193",
              "description": "CWE-193: Off-by-one Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:36:51.404Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-pxq6-2prw-chj9"
        },
        {
          "name": "https://github.com/moby/moby/releases/tag/docker-v29.3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/releases/tag/docker-v29.3.1"
        }
      ],
      "source": {
        "advisory": "GHSA-pxq6-2prw-chj9",
        "discovery": "UNKNOWN"
      },
      "title": "Moby: Off-by-one error in plugin privilege validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33997",
    "datePublished": "2026-03-31T01:36:51.404Z",
    "dateReserved": "2026-03-24T22:20:06.214Z",
    "dateUpdated": "2026-04-02T03:55:57.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34040 (GCVE-0-2026-34040)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:36 – Updated: 2026-04-02 03:55

Title

Moby: AuthZ plugin bypass with oversized request body

Summary

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/moby/moby/security/advisories/…	x_refsource_CONFIRM
https://github.com/moby/moby/releases/tag/docker-…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
moby	moby	Affected: < 29.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T03:55:56.676Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 29.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:36:48.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2"
        },
        {
          "name": "https://github.com/moby/moby/releases/tag/docker-v29.3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/moby/moby/releases/tag/docker-v29.3.1"
        }
      ],
      "source": {
        "advisory": "GHSA-x744-4wpc-v9h2",
        "discovery": "UNKNOWN"
      },
      "title": "Moby: AuthZ plugin bypass with oversized request body"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34040",
    "datePublished": "2026-03-31T01:36:48.205Z",
    "dateReserved": "2026-03-25T15:29:04.744Z",
    "dateUpdated": "2026-04-02T03:55:56.676Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39821 (GCVE-0-2026-39821)

Vulnerability from cvelistv5 – Published: 2026-05-22 15:01 – Updated: 2026-05-27 13:13

Title

Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna

Summary

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

Assigner

References

4 references

URL	Tags
https://go.dev/cl/767220
https://go.dev/issue/78760
https://groups.google.com/g/golang-announce/c/iI-…
https://pkg.go.dev/vuln/GO-2026-5026

Impacted products

1 product

Vendor	Product	Version
golang.org/x/net	golang.org/x/net/idna	Affected: 0 , < 0.55.0 (semver)

Credits

KC1zs4 (https://github.com/KC1zs4)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39821",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-23T03:55:58.522682Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1289",
                "description": "CWE-1289 Improper Validation of Unsafe Equivalence in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T13:13:15.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/idna",
          "product": "golang.org/x/net/idna",
          "programRoutines": [
            {
              "name": "Profile.process"
            },
            {
              "name": "Profile.ToASCII"
            },
            {
              "name": "Profile.ToUnicode"
            },
            {
              "name": "ToASCII"
            },
            {
              "name": "ToUnicode"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.55.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "KC1zs4 (https://github.com/KC1zs4)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(\"xn--example-.com\") incorrectly returns the name \"example.com\" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject \"example.com\" but permit \"xn--example-.com\". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name \"example.com\"."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-22T15:01:21.462Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/767220"
        },
        {
          "url": "https://go.dev/issue/78760"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-5026"
        }
      ],
      "title": "Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-39821",
    "datePublished": "2026-05-22T15:01:21.462Z",
    "dateReserved": "2026-04-07T18:13:03.526Z",
    "dateUpdated": "2026-05-27T13:13:15.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41567 (GCVE-0-2026-41567)

Vulnerability from cvelistv5 – Published: 2026-06-05 00:35 – Updated: 2026-06-05 13:11

Title

Docker: `PUT /containers/{id}/archive` executes container binary on the host

Summary

Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images

Severity

7.2 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-427 - Uncontrolled Search Path Element

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/moby/moby/security/advisories/…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
moby	moby/v2/daemon	Affected: < 2.0.0-beta.14
moby	Docker Engine	Affected: < 29.5.1
docker	docker/daemon	Affected: <= 28.5.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41567",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-05T13:11:38.173928Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-05T13:11:47.568Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moby/v2/daemon",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0-beta.14"
            }
          ]
        },
        {
          "product": "Docker Engine",
          "vendor": "moby",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 29.5.1"
            }
          ]
        },
        {
          "product": "docker/daemon",
          "vendor": "docker",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 28.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container\u0027s filesystem rather than the host\u0027s due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427: Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T00:35:50.563Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/moby/moby/security/advisories/GHSA-x86f-5xw2-fm2r"
        }
      ],
      "source": {
        "advisory": "GHSA-x86f-5xw2-fm2r",
        "discovery": "UNKNOWN"
      },
      "title": "Docker: `PUT /containers/{id}/archive` executes container binary on the host"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41567",
    "datePublished": "2026-06-05T00:35:50.563Z",
    "dateReserved": "2026-04-21T14:15:21.957Z",
    "dateUpdated": "2026-06-05T13:11:47.568Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:11075-1

CVE-2026-33186 (GCVE-0-2026-33186)

CVE-2026-33747 (GCVE-0-2026-33747)

CVE-2026-33748 (GCVE-0-2026-33748)

CVE-2026-33814 (GCVE-0-2026-33814)

CVE-2026-33997 (GCVE-0-2026-33997)

CVE-2026-34040 (GCVE-0-2026-34040)

CVE-2026-39821 (GCVE-0-2026-39821)

CVE-2026-41567 (GCVE-0-2026-41567)

Tags

Sightings

Nomenclature