CVE-2026-54448

Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*

History

26 Jun 2026, 19:27

Type Values Removed Values Added
References () https://github.com/aquasecurity/trivy/pull/10718 - () https://github.com/aquasecurity/trivy/pull/10718 - Issue Tracking, Third Party Advisory
References () https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4 - () https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4 - Third Party Advisory
CPE cpe:2.3:a:aquasec:trivy:*:*:*:*:*:go:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
First Time Aquasec
Aquasec trivy

25 Jun 2026, 20:20

Type Values Removed Values Added
References () https://github.com/aquasecurity/trivy/pull/10718 - () https://github.com/aquasecurity/trivy/pull/10718 -
References () https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4 - () https://github.com/aquasecurity/trivy/security/advisories/GHSA-q3fv-x8vg-qqm4 -

25 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 17:16

Updated : 2026-06-26 19:27


NVD link : CVE-2026-54448

Mitre link : CVE-2026-54448

CVE.ORG link : CVE-2026-54448


JSON object : View

Products Affected

aquasec

  • trivy
CWE
CWE-770

Allocation of Resources Without Limits or Throttling

CWE-789

Memory Allocation with Excessive Size Value