apk package
chainguard/coder
pkg:apk/chainguard/coder
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39829 | Hig | 7.5 | < 2.32.4-r3 | 2.32.4-r3 | May 22, 2026 | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien | |
| CVE-2026-39828 | Med | 6.3 | < 2.32.4-r3 | 2.32.4-r3 | May 22, 2026 | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par | |
| CVE-2026-39827 | Med | 6.5 | < 2.32.4-r3 | 2.32.4-r3 | May 22, 2026 | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state | |
| CVE-2026-33814 | Hig | 7.5 | < 2.32.1-r1 | 2.32.1-r1 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. |
- affected < 2.32.4-r3fixed 2.32.4-r3
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
- affected < 2.32.4-r3fixed 2.32.4-r3
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par
- affected < 2.32.4-r3fixed 2.32.4-r3
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
- affected < 2.32.1-r1fixed 2.32.1-r1
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Page 2 of 2