apk package
chainguard/virt-api-1.6
pkg:apk/chainguard/virt-api-1.6
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32281 | Hig | 7.5 | < 1.6.5-r1 | 1.6.5-r1 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C | |
| CVE-2026-32280 | Hig | 7.5 | < 1.6.5-r1 | 1.6.5-r1 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-27140 | Hig | 8.8 | < 1.6.5-r1 | 1.6.5-r1 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-2303 | Med | 6.5 | < 1.6.6-r1 | 1.6.6-r1 | Feb 10, 2026 | The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b | |
| CVE-2025-64324 | — | < 1.6.4-r0 | 1.6.4-r0 | Nov 18, 2025 | KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specificall | ||
| CVE-2025-64432 | — | < 1.6.4-r0 | 1.6.4-r0 | Nov 7, 2025 | KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api componen | ||
| CVE-2024-33394 | — | < 0 | 0 | May 2, 2024 | An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | ||
| CVE-2024-31420 | Med | 6.5 | < 0 | 0 | Apr 3, 2024 | A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the vi |
- affected < 1.6.5-r1fixed 1.6.5-r1
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C
- affected < 1.6.5-r1fixed 1.6.5-r1
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 1.6.5-r1fixed 1.6.5-r1
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 1.6.6-r1fixed 1.6.6-r1
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b
- CVE-2025-64324Nov 18, 2025affected < 1.6.4-r0fixed 1.6.4-r0
KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specificall
- CVE-2025-64432Nov 7, 2025affected < 1.6.4-r0fixed 1.6.4-r0
KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api componen
- CVE-2024-33394May 2, 2024affected < 0fixed 0
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
- affected < 0fixed 0
A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the vi
Page 2 of 2