apk package
chainguard/k3s-static-1.34
pkg:apk/chainguard/k3s-static-1.34
Vulnerabilities (40)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39830 | Cri | 9.1 | < 1.34.6.1-r11 | 1.34.6.1-r11 | May 22, 2026 | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now | |
| CVE-2026-39829 | Hig | 7.5 | < 1.34.6.1-r11 | 1.34.6.1-r11 | May 22, 2026 | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien | |
| CVE-2026-39828 | Med | 6.3 | < 1.34.6.1-r11 | 1.34.6.1-r11 | May 22, 2026 | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par | |
| CVE-2026-39827 | Med | 6.5 | < 1.34.6.1-r11 | 1.34.6.1-r11 | May 22, 2026 | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state | |
| CVE-2026-46680 | hig | — | < 1.34.9.1-r0 | 1.34.9.1-r0 | May 21, 2026 | ### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con | |
| CVE-2026-41889 | Cri | 9.8 | < 1.34.8.1-r0 | 1.34.8.1-r0 | May 8, 2026 | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol | |
| CVE-2026-33814 | Hig | 7.5 | < 1.34.6.1-r10 | 1.34.6.1-r10 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-35469 | Hig | — | < 1.34.6.1-r4 | 1.34.6.1-r4 | Apr 16, 2026 | spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, | |
| CVE-2026-39883 | Hig | 7.0 | < 1.34.6.1-r2 | 1.34.6.1-r2 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf | |
| CVE-2026-33816 | Cri | 9.8 | < 1.34.6.1-r3 | 1.34.6.1-r3 | Apr 7, 2026 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | |
| CVE-2026-35480 | Med | 6.2 | < 1.34.6.1-r5 | 1.34.6.1-r5 | Apr 7, 2026 | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declare | |
| CVE-2026-33817 | — | < 1.34.6.1-r2 | 1.34.6.1-r2 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-33186 | Cri | 9.1 | < 1.34.6.1-r6 | 1.34.6.1-r6 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2025-58190 | — | < 1.34.6.1-r6 | 1.34.6.1-r6 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47911 | — | < 1.34.6.1-r6 | 1.34.6.1-r6 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-47914 | — | < 1.34.6.1-r11 | 1.34.6.1-r11 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 1.34.6.1-r11 | 1.34.6.1-r11 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47913 | — | < 1.34.6.1-r9 | 1.34.6.1-r9 | Nov 13, 2025 | SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. | ||
| CVE-2025-54410 | — | < 1.34.8.1-r0 | 1.34.8.1-r0 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail | ||
| CVE-2025-46599 | Med | 6.8 | < 0 | 0 | Apr 25, 2025 | CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this por |
- affected < 1.34.6.1-r11fixed 1.34.6.1-r11
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now
- affected < 1.34.6.1-r11fixed 1.34.6.1-r11
The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clien
- affected < 1.34.6.1-r11fixed 1.34.6.1-r11
When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with Par
- affected < 1.34.6.1-r11fixed 1.34.6.1-r11
An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state
- affected < 1.34.9.1-r0fixed 1.34.9.1-r0
### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con
- affected < 1.34.8.1-r0fixed 1.34.8.1-r0
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placehol
- affected < 1.34.6.1-r10fixed 1.34.6.1-r10
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 1.34.6.1-r4fixed 1.34.6.1-r4
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,
- affected < 1.34.6.1-r2fixed 1.34.6.1-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
- affected < 1.34.6.1-r3fixed 1.34.6.1-r3
Memory-safety vulnerability in github.com/jackc/pgx/v5.
- affected < 1.34.6.1-r5fixed 1.34.6.1-r5
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.22.0, the DAG-CBOR decoder uses collection sizes declare
- CVE-2026-33817Apr 6, 2026affected < 1.34.6.1-r2fixed 1.34.6.1-r2
Rejected reason: CVE confirmed to be a false positive
- affected < 1.34.6.1-r6fixed 1.34.6.1-r6
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- CVE-2025-58190Feb 5, 2026affected < 1.34.6.1-r6fixed 1.34.6.1-r6
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47911Feb 5, 2026affected < 1.34.6.1-r6fixed 1.34.6.1-r6
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-47914Nov 19, 2025affected < 1.34.6.1-r11fixed 1.34.6.1-r11
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 1.34.6.1-r11fixed 1.34.6.1-r11
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47913Nov 13, 2025affected < 1.34.6.1-r9fixed 1.34.6.1-r9
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
- CVE-2025-54410Jul 30, 2025affected < 1.34.8.1-r0fixed 1.34.8.1-r0
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail
- affected < 0fixed 0
CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this por
Page 2 of 2