VYPR

apk package

chainguard/external-dns-fips-0.21

pkg:apk/chainguard/external-dns-fips-0.21

Vulnerabilities (25)

  • CVE-2026-39819MedMay 7, 2026
    affected < 0.21.0-r3fixed 0.21.0-r3

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 0.21.0-r3fixed 0.21.0-r3

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 0.21.0-r4fixed 0.21.0-r4

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 0.21.0-r3fixed 0.21.0-r3

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-41246HigApr 23, 2026
    affected < 0.21.0-r1fixed 0.21.0-r1

    Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malici

Page 2 of 2