Skip to main content

Suse CVE-2026-48702

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-25 https://github.com/sigstore/rekor GHSA-47q9-m4ww-924m
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 22:31 vuln.today
Analysis Generated
Jun 25, 2026 - 22:31 vuln.today

DescriptionGitHub Advisory

Description

The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing max_apk_metadata_size check (default 1MB) is only applied to individual tar entry header sizes after decompression completes, so it does not prevent a decompression bomb from consuming unbounded heap memory.

An attacker can craft a gzip stream that compresses at a ~1000:1 ratio (e.g., 2MB compressed zeros → 2GB decompressed). When submitted as spec.package.content in an Alpine ProposedEntry, the server decompresses the full payload into memory during request processing, triggering a fatal Go runtime out-of-memory error or OS OOM-kill that cannot be caught by the server's recover() middleware.

This is reachable via two unauthenticated endpoints:

  • POST /api/v1/log/entries (createLogEntry)
  • POST /api/v1/log/entries/retrieve (searchLogQuery)

Both invoke V001Entry.Canonicalize()fetchExternalEntities()apk.Unmarshal(packageData), which performs the unbounded decompression.

Workarounds

There is no effective workaround. Setting max_request_body_size reduces but does not eliminate exposure due to the ~1000:1 compression ratio (a 1MB body limit still allows ~1GB heap allocation). Setting max_apk_metadata_size has no effect on this vulnerability since the check is applied after decompression.

AnalysisAI

Remote unauthenticated denial of service in Sigstore Rekor (>= 0.3.0, < 1.5.2) allows attackers to crash the transparency log server via a gzip decompression bomb in its Alpine APK parsing path. The Package.Unmarshal() function decompresses the signature and control gzip members of a submitted APK into memory without bounding total decompressed size, so a ~1000:1 compression ratio payload (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

24 hours: Identify and document all Sigstore Rekor installations, noting their versions (vulnerable: 0.3.0-1.5.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 12 Affected

Share

CVE-2026-48702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy