apk package

wolfi/vcluster

pkg:apk/wolfi/vcluster

Vulnerabilities (32)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-33814	Hig	7.5	< 0.34.0-r4	0.34.0-r4	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-35469	Hig	—	< 0.33.1-r4	0.33.1-r4	Apr 16, 2026	spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,
CVE-2026-39883	Hig	7.0	< 0.33.1-r2	0.33.1-r2	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-33817		—	< 0	0	Apr 6, 2026	Rejected reason: CVE confirmed to be a false positive
CVE-2026-34986	Hig	7.5	< 0.33.1-r1	0.33.1-r1	Apr 6, 2026	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-32285	Hig	7.5	< 0.32.1-r7	0.32.1-r7	Mar 26, 2026	The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
CVE-2025-15558		—	< 0.32.1-r2	0.32.1-r2	Mar 4, 2026	Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229		—	< 0.32.0-r1	0.32.0-r1	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2025-68121	Cri	10.0	< 0.31.0-r2	0.31.0-r2	Feb 5, 2026	During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732		—	< 0.31.0-r2	0.31.0-r2	Feb 5, 2026	A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2026-24051		—	< 0.32.0-r2	0.32.0-r2	Feb 2, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
CVE-2025-13281	Med	5.8	< 0.30.3-r1	0.30.3-r1	Dec 14, 2025	A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (i
CVE-2025-58058	Med	5.3	< 0.27.0-r1	0.27.0-r1	Aug 28, 2025	xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
CVE-2025-5187	Med	6.7	< 0.27.0-r2	0.27.0-r2	Aug 27, 2025	A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su
CVE-2025-8556	Low	3.7	< 0.25.1-r1	0.25.1-r1	Aug 6, 2025	A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-4563	Low	2.7	< 0.26.0-r1	0.26.0-r1	Jun 23, 2025	A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status upda
CVE-2025-22872	Med	6.5	< 0.24.1-r1	0.24.1-r1	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-1767	Med	6.5	< 0.26.0-r1	0.26.0-r1	Mar 13, 2025	This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using t
CVE-2025-22870	Med	4.4	< 0.23.0-r2	0.23.0-r2	Mar 12, 2025	Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22868		—	< 0.23.0-r1	0.23.0-r1	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

CVE-2026-33814HigMay 7, 2026
affected < 0.34.0-r4fixed 0.34.0-r4
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-35469HigApr 16, 2026
affected < 0.33.1-r4fixed 0.33.1-r4
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,
CVE-2026-39883HigApr 8, 2026
affected < 0.33.1-r2fixed 0.33.1-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-33817Apr 6, 2026
affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
CVE-2026-34986HigApr 6, 2026
affected < 0.33.1-r1fixed 0.33.1-r1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-32285HigMar 26, 2026
affected < 0.32.1-r7fixed 0.32.1-r7
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
CVE-2025-15558Mar 4, 2026
affected < 0.32.1-r2fixed 0.32.1-r2
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229Feb 24, 2026
affected < 0.32.0-r1fixed 0.32.0-r1
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2025-68121CriFeb 5, 2026
affected < 0.31.0-r2fixed 0.31.0-r2
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
CVE-2025-61732Feb 5, 2026
affected < 0.31.0-r2fixed 0.31.0-r2
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
CVE-2026-24051Feb 2, 2026
affected < 0.32.0-r2fixed 0.32.0-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
CVE-2025-13281MedDec 14, 2025
affected < 0.30.3-r1fixed 0.30.3-r1
A half-blind Server Side Request Forgery (SSRF) vulnerability exists in kube-controller-manager when using the in-tree Portworx StorageClass. This vulnerability allows authorized users to leak arbitrary information from unprotected endpoints in the control plane’s host network (i
CVE-2025-58058MedAug 28, 2025
affected < 0.27.0-r1fixed 0.27.0-r1
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
CVE-2025-5187MedAug 27, 2025
affected < 0.27.0-r2fixed 0.27.0-r2
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is su
CVE-2025-8556LowAug 6, 2025
affected < 0.25.1-r1fixed 0.25.1-r1
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
CVE-2025-4563LowJun 23, 2025
affected < 0.26.0-r1fixed 0.26.0-r1
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status upda
CVE-2025-22872MedApr 16, 2025
affected < 0.24.1-r1fixed 0.24.1-r1
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-1767MedMar 13, 2025
affected < 0.26.0-r1fixed 0.26.0-r1
This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone git repositories from other pods within the same node. Since the in-tree gitRepo volume feature has been deprecated and will not receive security updates upstream, any cluster still using t
CVE-2025-22870MedMar 12, 2025
affected < 0.23.0-r2fixed 0.23.0-r2
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-22868Feb 26, 2025
affected < 0.23.0-r1fixed 0.23.0-r1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Page 1 of 2