Denial of Service via maliciously crafted image leading to unbounded group parsing
Summary
Denial of Service via maliciously crafted image leading to unbounded group parsing. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-770. Affected package(s): syft-main, trivy-main, kubernetes1, grype-main, opentelemetry-collector-contrib-main. Resolved in Red Hat advisory RHSA-2026:35111 — update the affected packages (`sudo dnf update`).
- syft-main-1.46.0-0.1.hum1
- trivy-main-0.72.0-0.1.hum1
- kubernetes1-35-main-1.35.6-1.hum1
- grype-main-0.115.0-0.1.hum1
- opentelemetry-collector-contrib-main-0.155.0-0.1.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- RHSA-2026:35111
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Update the affected package(s) to the version in RHSA-2026:35111 (`sudo dnf update` / `yum update`).
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.