apk package
wolfi/manifest-tool
pkg:apk/wolfi/manifest-tool
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53492 | hig | — | < 2.2.2-r4 | 2.2.2-r4 | Jun 19, 2026 | ### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations fro | |
| CVE-2026-53489 | hig | — | < 2.2.2-r4 | 2.2.2-r4 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the following | |
| CVE-2026-53488 | hig | — | < 2.2.2-r4 | 2.2.2-r4 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f | |
| CVE-2026-50195 | — | < 2.2.2-r4 | 2.2.2-r4 | Jun 19, 2026 | ## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to | ||
| CVE-2026-47262 | — | < 2.2.2-r4 | 2.2.2-r4 | Jun 19, 2026 | ### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai | ||
| CVE-2026-41178 | Med | 5.3 | < 2.2.2-r5 | 2.2.2-r5 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-42507 | Med | 5.3 | < 2.2.2-r3 | 2.2.2-r3 | Jun 2, 2026 | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | |
| CVE-2026-42504 | Hig | 7.5 | < 0 | 0 | Jun 2, 2026 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. | |
| CVE-2026-27145 | Med | 6.5 | < 2.2.2-r3 | 2.2.2-r3 | Jun 2, 2026 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic | |
| CVE-2026-39824 | Low | 3.3 | < 0 | 0 | May 22, 2026 | NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error. | |
| CVE-2026-46680 | hig | — | < 2.2.2-r1 | 2.2.2-r1 | May 21, 2026 | ### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con | |
| CVE-2026-42501 | Hig | 7.5 | < 2.2.2-r0 | 2.2.2-r0 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 0 | 0 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 2.2.2-r0 | 2.2.2-r0 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 0 | 0 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 0 | 0 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa | |
| CVE-2026-39823 | Med | 6.1 | < 0 | 0 | May 7, 2026 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le | |
| CVE-2026-39820 | Hig | 7.5 | < 0 | 0 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | |
| CVE-2026-39819 | Med | 5.3 | < 2.2.2-r0 | 2.2.2-r0 | May 7, 2026 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | |
| CVE-2026-39817 | Med | 5.9 | < 2.2.2-r0 | 2.2.2-r0 | May 7, 2026 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. |
- affected < 2.2.2-r4fixed 2.2.2-r4
### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations fro
- affected < 2.2.2-r4fixed 2.2.2-r4
### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the following
- affected < 2.2.2-r4fixed 2.2.2-r4
### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f
- CVE-2026-50195Jun 19, 2026affected < 2.2.2-r4fixed 2.2.2-r4
## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to
- CVE-2026-47262Jun 19, 2026affected < 2.2.2-r4fixed 2.2.2-r4
### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai
- affected < 2.2.2-r5fixed 2.2.2-r5
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 2.2.2-r3fixed 2.2.2-r3
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
- affected < 0fixed 0
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
- affected < 2.2.2-r3fixed 2.2.2-r3
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic
- affected < 0fixed 0
NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error.
- affected < 2.2.2-r1fixed 2.2.2-r1
### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con
- affected < 2.2.2-r0fixed 2.2.2-r0
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 0fixed 0
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 2.2.2-r0fixed 2.2.2-r0
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 0fixed 0
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 0fixed 0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
- affected < 0fixed 0
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
- affected < 0fixed 0
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- affected < 2.2.2-r0fixed 2.2.2-r0
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
- affected < 2.2.2-r0fixed 2.2.2-r0
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
Page 1 of 3