PT-2026-25101 · Go · Github.Com/Chainguard-Dev/Malcontent
Published
2026-03-02
·
Updated
2026-03-02
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Several extraction and scanning code paths registered late defers which could leak resources and exhaust system resources.
This report is an aggregate of these individual reports for the affected code:
| Advisory | Affected File |
|---|---|
GHSA-jjgh-mc5q-gch7 | pkg/action/scan.go |
GHSA-mwmf-fxh2-w4x7 | pkg/archive/deb.go |
GHSA-p8j3-rpf5-gwv3 | pkg/archive/gzip.go |
GHSA-qfh4-7f5v-75gq | pkg/archive/zlib.go |
GHSA-wxxf-r586-5rf5 | pkg/archive/bzip2.go |
Fix: #1354, #1355, #1356, #1361
Acknowledgements
Thank you to Oleh Konko from 1seal for discovering and reporting all six of these issues.
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Chainguard-Dev/Malcontent