apk package
chainguard/k3s-static-1.31
pkg:apk/chainguard/k3s-static-1.31
Vulnerabilities (63)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32280 | Hig | 7.5 | < 1.31.6.1-r17 | 1.31.6.1-r17 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-27144 | Hig | 7.1 | < 1.31.6.1-r17 | 1.31.6.1-r17 | Apr 8, 2026 | The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime. | |
| CVE-2026-27143 | Cri | 9.8 | < 1.31.6.1-r17 | 1.31.6.1-r17 | Apr 8, 2026 | Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. | |
| CVE-2026-27140 | Hig | 8.8 | < 1.31.6.1-r17 | 1.31.6.1-r17 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-33816 | Cri | 9.8 | < 1.31.6.1-r19 | 1.31.6.1-r19 | Apr 7, 2026 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | |
| CVE-2026-35480 | Med | 6.2 | < 1.31.6.1-r22 | 1.31.6.1-r22 | Apr 7, 2026 | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declare | |
| CVE-2026-33817 | — | < 1.31.6.1-r16 | 1.31.6.1-r16 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-34986 | Hig | 7.5 | < 1.31.6.1-r16 | 1.31.6.1-r16 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-32285 | Hig | 7.5 | < 1.31.6.1-r15 | 1.31.6.1-r15 | Mar 26, 2026 | The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack. | |
| CVE-2026-33186 | Cri | 9.1 | < 1.31.6.1-r21 | 1.31.6.1-r21 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2025-15558 | — | < 1.31.6.1-r12 | 1.31.6.1-r12 | Mar 4, 2026 | Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are | ||
| CVE-2026-26958 | Low | — | < 1.31.6.1-r14 | 1.31.6.1-r14 | Feb 19, 2026 | filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin | |
| CVE-2026-21438 | — | < 1.31.6.1-r13 | 1.31.6.1-r13 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage colle | ||
| CVE-2026-21435 | — | < 1.31.6.1-r13 | 1.31.6.1-r13 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CON | ||
| CVE-2026-21434 | — | < 1.31.6.1-r13 | 1.31.6.1-r13 | Feb 12, 2026 | webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. | ||
| CVE-2025-68121 | Cri | 10.0 | < 1.31.6.1-r9 | 1.31.6.1-r9 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-58190 | — | < 1.31.6.1-r10 | 1.31.6.1-r10 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 1.31.6.1-r10 | 1.31.6.1-r10 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-61732 | — | < 1.31.6.1-r9 | 1.31.6.1-r9 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2026-24051 | — | < 1.31.6.1-r11 | 1.31.6.1-r11 | Feb 2, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman |
- affected < 1.31.6.1-r17fixed 1.31.6.1-r17
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 1.31.6.1-r17fixed 1.31.6.1-r17
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
- affected < 1.31.6.1-r17fixed 1.31.6.1-r17
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
- affected < 1.31.6.1-r17fixed 1.31.6.1-r17
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 1.31.6.1-r19fixed 1.31.6.1-r19
Memory-safety vulnerability in github.com/jackc/pgx/v5.
- affected < 1.31.6.1-r22fixed 1.31.6.1-r22
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declare
- CVE-2026-33817Apr 6, 2026affected < 1.31.6.1-r16fixed 1.31.6.1-r16
Rejected reason: CVE confirmed to be a false positive
- affected < 1.31.6.1-r16fixed 1.31.6.1-r16
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 1.31.6.1-r15fixed 1.31.6.1-r15
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
- affected < 1.31.6.1-r21fixed 1.31.6.1-r21
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2025-15558Mar 4, 2026affected < 1.31.6.1-r12fixed 1.31.6.1-r12
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
- affected < 1.31.6.1-r14fixed 1.31.6.1-r14
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin
- CVE-2026-21438Feb 12, 2026affected < 1.31.6.1-r13fixed 1.31.6.1-r13
webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage colle
- CVE-2026-21435Feb 12, 2026affected < 1.31.6.1-r13fixed 1.31.6.1-r13
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CON
- CVE-2026-21434Feb 12, 2026affected < 1.31.6.1-r13fixed 1.31.6.1-r13
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message.
- affected < 1.31.6.1-r9fixed 1.31.6.1-r9
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-58190Feb 5, 2026affected < 1.31.6.1-r10fixed 1.31.6.1-r10
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 1.31.6.1-r10fixed 1.31.6.1-r10
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-61732Feb 5, 2026affected < 1.31.6.1-r9fixed 1.31.6.1-r9
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2026-24051Feb 2, 2026affected < 1.31.6.1-r11fixed 1.31.6.1-r11
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
Page 2 of 4