VYPR

apk package

chainguard/datadog-agent-fips-7.71

pkg:apk/chainguard/datadog-agent-fips-7.71

Vulnerabilities (61)

  • CVE-2026-39817MedMay 7, 2026
    affected < 7.71.2-r15fixed 7.71.2-r15

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 7.71.2-r16fixed 7.71.2-r16

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 0fixed 0

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-6357MedApr 27, 2026
    affected < 7.71.2-r15fixed 7.71.2-r15

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct

  • CVE-2026-3219MedApr 20, 2026
    affected < 7.71.2-r15fixed 7.71.2-r15

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior

  • CVE-2026-35469HigApr 16, 2026
    affected < 0fixed 0

    spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,

  • CVE-2026-32289MedApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

  • CVE-2026-32288MedApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

  • CVE-2026-32283HigApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32282MedApr 8, 2026
    affected < 0fixed 0

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R

  • CVE-2026-32281HigApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C

  • CVE-2026-32280HigApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls

  • CVE-2026-27144HigApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.

  • CVE-2026-27143CriApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.

  • CVE-2026-27140HigApr 8, 2026
    affected < 7.71.2-r11fixed 7.71.2-r11

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2026-33817Apr 6, 2026
    affected < 0fixed 0

    Rejected reason: CVE confirmed to be a false positive

  • CVE-2026-32285HigMar 26, 2026
    affected < 0fixed 0

    The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.

  • CVE-2026-25645Mar 25, 2026
    affected < 7.71.2-r10fixed 7.71.2-r10

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-33186CriMar 20, 2026
    affected < 7.71.2-r8fixed 7.71.2-r8

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-27142MedMar 6, 2026
    affected < 7.71.2-r10fixed 7.71.2-r10

    Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap