Skip to main content

Suse CVE-2026-33481

MEDIUM
Improper Cleanup on Thrown Exception (CWE-460)
2026-03-20 https://github.com/anchore/syft GHSA-rjcw-vg7j-m9rc
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
Patch released
Mar 20, 2026 - 21:01 nvd
Patch available
CVE Published
Mar 20, 2026 - 20:46 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.

This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb.

Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available.

Patches

The patch has been released in v1.42.3

Syft now cleans up temporary files when an error condition is encountered.

Workarounds

There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.

AnalysisAI

Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. The vulnerability has been patched in v1.42.3 and no active exploitation has been reported in the wild, though the attack vector is straightforward and does not require special privileges.

Technical ContextAI

Syft is a Software Bill of Materials (SBOM) generation tool developed by Anchore that processes container images and archives to generate software inventories. The vulnerability stems from improper error handling during the temporary file lifecycle, classified under CWE-460 (Improper Cleanup on Thrown Exception). When Syft unpacks archives into temporary storage for inspection, it relies on cleanup routines to remove these files upon completion; however, when an error condition is encountered (such as exhaustion of disk space), the exception handling does not properly invoke cleanup operations before exiting. The affected product is identified via CPE pkg:go/github.com_anchore_syft, indicating the Go-based Syft tool itself is the vulnerable component. Related components in the Anchore ecosystem, such as Stereoscope (referenced in patch PR #537), may share similar temporary file handling patterns.

RemediationAI

Upgrade Syft to version v1.42.3 or later immediately, as the vendor has released a patch that properly cleans up temporary files when error conditions are encountered. The patch is available in the official Syft repository via pull requests #4629 and #4668 (https://github.com/anchore/syft/pull/4629 and https://github.com/anchore/syft/pull/4668), with additional related fixes in the Stereoscope component (https://github.com/anchore/stereoscope/pull/537). As a temporary workaround for users unable to upgrade immediately, manually remove accumulated temporary files from the system's temporary directory (/tmp on Linux/macOS, %TEMP% on Windows) and implement monitoring to detect when temporary storage approaches saturation. Additionally, validate and sanitize untrusted archives before processing with Syft, or run Syft in isolated containers with limited temporary storage capacity to prevent system-wide impact.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33481 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy