VYPR

apk package

chainguard/gpu-operator-fips-26.3

pkg:apk/chainguard/gpu-operator-fips-26.3

Vulnerabilities (25)

  • CVE-2026-39819MedMay 7, 2026
    affected < 26.3.1-r3fixed 26.3.1-r3

    The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.

  • CVE-2026-39817MedMay 7, 2026
    affected < 26.3.1-r3fixed 26.3.1-r3

    The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.

  • CVE-2026-33814HigMay 7, 2026
    affected < 26.3.1-r3fixed 26.3.1-r3

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-33811HigMay 7, 2026
    affected < 26.3.1-r2fixed 26.3.1-r2

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-27141HigFeb 26, 2026
    affected < 26.3.1-r1fixed 26.3.1-r1

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

Page 2 of 2