Suse
CVE-2026-33481
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan.
This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb.
Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available.
Patches
The patch has been released in v1.42.3
Syft now cleans up temporary files when an error condition is encountered.
Workarounds
There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
AnalysisAI
Syft versions before v1.42.3 fail to properly clean up temporary files when temporary storage becomes exhausted during archive scanning, allowing an attacker to trigger a denial of service by exhausting the system's temporary storage through highly compressed or large artifacts. This affects all users of Syft who scan untrusted or adversarially-crafted archives, as the vulnerability requires no authentication and can be triggered remotely through the normal scanning interface. The vulnerability has been patched in v1.42.3 and no active exploitation has been reported in the wild, though the attack vector is straightforward and does not require special privileges.
Technical ContextAI
Syft is a Software Bill of Materials (SBOM) generation tool developed by Anchore that processes container images and archives to generate software inventories. The vulnerability stems from improper error handling during the temporary file lifecycle, classified under CWE-460 (Improper Cleanup on Thrown Exception). When Syft unpacks archives into temporary storage for inspection, it relies on cleanup routines to remove these files upon completion; however, when an error condition is encountered (such as exhaustion of disk space), the exception handling does not properly invoke cleanup operations before exiting. The affected product is identified via CPE pkg:go/github.com_anchore_syft, indicating the Go-based Syft tool itself is the vulnerable component. Related components in the Anchore ecosystem, such as Stereoscope (referenced in patch PR #537), may share similar temporary file handling patterns.
RemediationAI
Upgrade Syft to version v1.42.3 or later immediately, as the vendor has released a patch that properly cleans up temporary files when error conditions are encountered. The patch is available in the official Syft repository via pull requests #4629 and #4668 (https://github.com/anchore/syft/pull/4629 and https://github.com/anchore/syft/pull/4668), with additional related fixes in the Stereoscope component (https://github.com/anchore/stereoscope/pull/537). As a temporary workaround for users unable to upgrade immediately, manually remove accumulated temporary files from the system's temporary directory (/tmp on Linux/macOS, %TEMP% on Windows) and implement monitoring to detect when temporary storage approaches saturation. Additionally, validate and sanitize untrusted archives before processing with Syft, or run Syft in isolated containers with limited temporary storage capacity to prevent system-wide impact.
Same weakness CWE-460 – Improper Cleanup on Thrown Exception
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-rjcw-vg7j-m9rc