Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

openSUSE Trivy Important DoS Arbitrary File Write Vulnern 2026-21249-1

opensuse
Calendar Grey July 8, 2026
Dist Opensuse Esm H88
Updates for openSUSE's trivy resolve significant issues including denial of service and file write vulnerabilities. Stay secure!
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description

This update for trivy fixes the following issues

Update to version 0.72.0.

- CVE-2026-54448: tar unpacker reads scanned Helm chart archives (.tgz) with `io.ReadAll(tr)` and defines no size

limit, which can lead to a DoS (bsc#1269271).

- CVE-2026-55092: `org.opencontainers.image.title` annotation from OCI artifact manifest is used as a destination

filename without validation and can lead to arbitrary file writes (bsc#1269269).

Other updates and bugfixes:

- Version 0.72.0:

* feat(bottlerocket): add vulnerability matching for Bottlerocket OS (#10893)

* fix(misconf): support github_repository_vulnerability_alerts resource (#10680)

* feat(java): detect JAR licenses from packaged LICENSE files (#10856)

* fix(nodejs): parse project dependencies from multi-document pnpm-lock.yaml (#10861)

* fix(server): propagate package repository class in client/server mode (#10874)

* chore(deps): bump github.com/containerd/containerd/v2 from 2.3.1 to 2.3.2 (#10888)

* fix(vuln): fall...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

trivy-0.72.0-160000.1.1

References

* bsc#1269269

* bsc#1269271

References:

* https://www.suse.com/security/cve/CVE-2026-54448.html

* https://www.suse.com/security/cve/CVE-2026-55092.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:21249-1
Rating: important
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.