apk package

chainguard/bento-fips

pkg:apk/chainguard/bento-fips

Vulnerabilities (30)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-46602		—	< 0	0	Jun 27, 2026	The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
CVE-2026-46601	mod	6.5	< 1.18.1-r2	1.18.1-r2	Jun 25, 2026	golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images
CVE-2026-41889	Cri	9.8	< 1.17.0-r2	1.17.0-r2	May 8, 2026	pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol
CVE-2026-42501	Hig	7.5	< 1.17.0-r4	1.17.0-r4	May 7, 2026	A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499	Hig	7.5	< 1.17.0-r4	1.17.0-r4	May 7, 2026	Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836	Hig	7.5	< 1.17.0-r4	1.17.0-r4	May 7, 2026	The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826	Med	6.1	< 1.17.0-r4	1.17.0-r4	May 7, 2026	If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825	Med	5.3	< 0	0	May 7, 2026	ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823	Med	6.1	< 1.17.0-r4	1.17.0-r4	May 7, 2026	CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820	Hig	7.5	< 1.17.0-r4	1.17.0-r4	May 7, 2026	Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819	Med	5.3	< 1.17.0-r4	1.17.0-r4	May 7, 2026	The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817	Med	5.9	< 1.17.0-r4	1.17.0-r4	May 7, 2026	The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814	Hig	7.5	< 1.17.0-r5	1.17.0-r5	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811	Hig	7.5	< 1.17.0-r4	1.17.0-r4	May 7, 2026	When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-41602	Hig	7.5	< 1.17.0-r3	1.17.0-r3	Apr 28, 2026	Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
CVE-2026-33813	Hig	7.5	< 1.17.0-r6	1.17.0-r6	Apr 21, 2026	Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVE-2026-33812	Med	6.1	< 0	0	Apr 21, 2026	Parsing a malicious font file can cause excessive memory allocation.
CVE-2026-39883	Hig	7.0	< 1.16.2-r2	1.16.2-r2	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-39882	Med	5.3	< 1.17.0-r1	1.17.0-r1	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e
CVE-2026-33816	Cri	9.8	< 0	0	Apr 7, 2026	Memory-safety vulnerability in github.com/jackc/pgx/v5.

CVE-2026-46602Jun 27, 2026
affected < 0fixed 0
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
CVE-2026-46601modJun 25, 2026
affected < 1.18.1-r2fixed 1.18.1-r2
golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images
CVE-2026-41889CriMay 8, 2026
affected < 1.17.0-r2fixed 1.17.0-r2
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol
CVE-2026-42501HigMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
CVE-2026-42499HigMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
CVE-2026-39836HigMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
CVE-2026-39826MedMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
CVE-2026-39825MedMay 7, 2026
affected < 0fixed 0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
CVE-2026-39823MedMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
CVE-2026-39820HigMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819MedMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817MedMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814HigMay 7, 2026
affected < 1.17.0-r5fixed 1.17.0-r5
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811HigMay 7, 2026
affected < 1.17.0-r4fixed 1.17.0-r4
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-41602HigApr 28, 2026
affected < 1.17.0-r3fixed 1.17.0-r3
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
CVE-2026-33813HigApr 21, 2026
affected < 1.17.0-r6fixed 1.17.0-r6
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVE-2026-33812MedApr 21, 2026
affected < 0fixed 0
Parsing a malicious font file can cause excessive memory allocation.
CVE-2026-39883HigApr 8, 2026
affected < 1.16.2-r2fixed 1.16.2-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-39882MedApr 8, 2026
affected < 1.17.0-r1fixed 1.17.0-r1
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e
CVE-2026-33816CriApr 7, 2026
affected < 0fixed 0
Memory-safety vulnerability in github.com/jackc/pgx/v5.

Page 1 of 2