CVE-2026-33481

MEDIUM
2026-03-20 https://github.com/anchore/syft GHSA-rjcw-vg7j-m9rc
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
Patch Released
Mar 20, 2026 - 21:01 nvd
Patch available
CVE Published
Mar 20, 2026 - 20:46 nvd
MEDIUM 5.3

Tags

Information Disclosure

Description

### Impact Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. ### Patches The patch has been released in v1.42.3 Syft now cleans up temporary files when an error condition is encountered. ### Workarounds There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.

Analysis

Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2026-33481 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy