PT-2026-52645 · Hauler · Hauler

Published

2026-06-25

·

Updated

2026-06-30

·

CVE-2026-48702

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions hauler versions prior to 2.0.1-1.1
Description The Package.Unmarshal() function in pkg/types/alpine/apk.go decompresses signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. This allows a decompression bomb—a small compressed file that expands to a massive size—to consume unbounded heap memory, leading to a fatal Go runtime out-of-memory error or an OS OOM-kill. This issue is reachable via the unauthenticated endpoints 'POST /api/v1/log/entries' and 'POST /api/v1/log/entries/retrieve', which trigger the unbounded decompression through the V001Entry.Canonicalize() and fetchExternalEntities() functions.
Recommendations Update to version 2.0.1-1.1.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48702
GHSA-47Q9-M4WW-924M
OPENSUSE-SU-2026:11154-1

Affected Products

Hauler