Skip to main content

Trivy CVE-2026-54448

| EUVDEUVD-2026-39479 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-25 GitHub_M GHSA-q3fv-x8vg-qqm4
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network delivery of crafted archive, no attacker privileges needed, but operator must trigger the scan (UI:R); impact is availability-only, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 18:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 17:24 vuln.today
Analysis Generated
Jun 25, 2026 - 17:24 vuln.today

DescriptionCVE.org

Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.

AnalysisAI

Decompression bomb (zip bomb) in Trivy's Helm chart scanner causes denial of service via OOM kill when processing a crafted .tgz archive. Affected versions prior to 0.71.0 use io.ReadAll without any size cap on tar entries inside Helm chart archives, allowing a small compressed file to expand to gigabytes in memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Place crafted .tgz in scanned path
Delivery
Operator triggers Trivy Helm scan
Exploit
Parser invokes io.ReadAll on tar entry
Execution
Memory exhausted by decompression
Impact
OOM killer terminates Trivy process

Vulnerability AssessmentAI

Exploitation The attacker must be able to place or serve a malicious .tgz file at a path that Trivy is configured to scan - for example, by committing a crafted Helm chart to a repository, uploading to a registry, or depositing a file in a shared artifact directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H) accurately reflects the risk profile: availability impact is high (process termination), but confidentiality and integrity are unaffected and both the vulnerable system and subsequent systems show no further blast radius. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a repository or artifact store targeted by a Trivy CI scan uploads a crafted Helm chart .tgz containing a single highly-compressed file that expands to several gigabytes when decompressed. When an automated pipeline or developer runs a Trivy scan against that path, Trivy's parser calls io.ReadAll on the archive entry, allocating gigabytes of memory until the Linux OOM killer terminates the Trivy process, silently interrupting the security scan. …
Remediation Upgrade Trivy to version 0.71.0 or later, which replaces the unbounded io.ReadAll tar unpacking with safe Helm library routines (vendor-released patch confirmed at https://github.com/aquasecurity/trivy/pull/10718 and https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-54448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy