GHSA-Q3FV-X8VG-QQM4

Vulnerability from github – Published: 2026-07-14 19:52 – Updated: 2026-07-14 19:52
VLAI
Summary
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
Details

Summary

When Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

Affected configurations

Exploitation requires the attacker to place a crafted .tgz file in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:

Command Condition
trivy config <dir> Directory contains a crafted .tgz Helm chart (misconfiguration scanning is always enabled)
trivy filesystem --scanners misconf <dir> Directory contains a crafted .tgz Helm chart and --scanners misconf is explicitly enabled
trivy image --scanners misconf <image> Image contains a crafted .tgz Helm chart and --scanners misconf is explicitly enabled

Realistic scenarios include: - A CI pipeline that runs trivy config . on a repository where a contributor can submit a pull request containing a crafted chart archive. - A pipeline that scans a container image with --scanners misconf, whose build context includes untrusted .tgz files.

Impact

An attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.

The practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.

There is no impact on confidentiality or integrity of the scanned system.

Patches

Fixed in Trivy v0.71.0 (#10718). The custom tar unpacker was replaced with archive.LoadArchiveFiles from the official helm.sh/helm/v4 SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade to v0.71.0 or later.

Workarounds

If upgrading is not immediately possible: - Set a memory limit (cgroup/container) on the Trivy process to bound the blast radius. - Use --skip-dirs to exclude directories containing untrusted Helm chart archives from the scan. - Avoid scanning repositories or images with untrusted .tgz files.

Credits

Reported by @jamesgol.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/aquasecurity/trivy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.71.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T19:52:14Z",
    "nvd_published_at": "2026-06-25T17:16:41Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nWhen Trivy scans a Helm chart archive (`.tgz`), its custom tar unpacker reads each entry with `io.ReadAll(tr)` and no size limit. An attacker who can place a malicious `.tgz` file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.\n\n## Affected configurations\n\nExploitation requires the attacker to place a crafted `.tgz` file in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:\n\n| Command | Condition |\n| --- | --- |\n| `trivy config \u003cdir\u003e` | Directory contains a crafted `.tgz` Helm chart (misconfiguration scanning is always enabled) |\n| `trivy filesystem --scanners misconf \u003cdir\u003e` | Directory contains a crafted `.tgz` Helm chart **and** `--scanners misconf` is explicitly enabled |\n| `trivy image --scanners misconf \u003cimage\u003e` | Image contains a crafted `.tgz` Helm chart **and** `--scanners misconf` is explicitly enabled |\n\nRealistic scenarios include:\n- A CI pipeline that runs `trivy config .` on a repository where a contributor can submit a pull request containing a crafted chart archive.\n- A pipeline that scans a container image with `--scanners misconf`, whose build context includes untrusted `.tgz` files.\n\n## Impact\n\nAn attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.\n\nThe practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.\n\nThere is no impact on confidentiality or integrity of the scanned system.\n\n## Patches\n\nFixed in Trivy `v0.71.0` (#10718). The custom tar unpacker was replaced with `archive.LoadArchiveFiles` from the official `helm.sh/helm/v4` SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade to `v0.71.0` or later.\n\n## Workarounds\n\nIf upgrading is not immediately possible:\n- Set a memory limit (cgroup/container) on the Trivy process to bound the blast radius.\n- Use `--skip-dirs` to exclude directories containing untrusted Helm chart archives from the scan.\n- Avoid scanning repositories or images with untrusted `.tgz` files.\n\n## Credits\n\nReported by @jamesgol.",
  "id": "GHSA-q3fv-x8vg-qqm4",
  "modified": "2026-07-14T19:52:14Z",
  "published": "2026-07-14T19:52:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/pull/10718"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/commit/441251e51ae46cbcf7f436547e0a5766b25328b4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aquasecurity/trivy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/releases/tag/v0.71.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…