Skip to main content

Red Hat CVE-2026-32288

| EUVDEUVD-2026-20016 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-08 Go GHSA-x4jj-h2v8-hqqv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 12:39 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 01:45 euvd
EUVD-2026-20016
CVE Published
Apr 08, 2026 - 01:06 nvd
N/A

DescriptionCVE.org

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

AnalysisAI

Denial of service via unbounded memory allocation in Go's archive/tar package when parsing maliciously-crafted tar archives containing many sparse regions in old GNU sparse map format. Affects Go standard library versions prior to 1.25.9 and 1.26.2. Local attackers with user interaction can exhaust system memory, crashing applications that process untrusted tar files. No public exploit code identified; EPSS score of 0.01% indicates very low exploitation probability despite moderate CVSS severity.

Technical ContextAI

The Go standard library's archive/tar package implements parsing of the tar archive format, including support for the GNU sparse file extension. The old GNU sparse map format encodes information about sparse regions (gaps in file content) within tar headers. The vulnerability exists in the tar.Reader component when it processes sparse region metadata without properly validating or limiting the number of sparse regions that can be allocated in memory. CWE classification not provided in source data, but the root cause is an unbounded resource allocation vulnerability in archive parsing. CPE cpe:2.3:a:go_standard_library:archive/tar:*:*:*:*:*:*:*:* covers all versions of this standard library component across all product variants.

RemediationAI

Upgrade to Go 1.25.9 or later, or Go 1.26.2 or later, depending on the release branch in use. These patched versions include the fix committed in go.dev/cl/763766. For applications unable to immediately upgrade, implement validation of tar archives from untrusted sources by limiting file processing or sandboxing tar extraction operations. Review upstream advisories at https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU and https://pkg.go.dev/vuln/GO-2026-4869 for comprehensive patching guidance and any additional mitigations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Development Tools 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

CVE-2026-32288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy