CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-54448

CVE-2026-54448: Denial of Service in Trivy Helm Chart Parser via Decompression Bomb

Alon Barad
Alon Barad
Software Engineer

Jul 14, 2026·7 min read·3 visits

Executive Summary (TL;DR)

Trivy versions prior to 0.71.0 are vulnerable to Denial of Service (DoS) via decompression bombs. The custom Helm chart unpacker uses unbounded memory reads, allowing small malicious archives to exhaust host memory and crash the scanner process.

CVE-2026-54448 is a critical denial of service vulnerability in Trivy's Infrastructure-as-Code (IaC) misconfiguration scanning engine. Prior to version 0.71.0, Trivy utilized a custom archive parser to unpack Helm chart tarballs (.tgz) during automated scans. This custom implementation iterated through compressed files and loaded their entire raw contents into system memory using the io.ReadAll function without implementing size limits or threshold checks, enabling an attacker to trigger an immediate heap-allocation crash or system Out-of-Memory (OOM) termination using a decompression bomb.

Vulnerability Overview

Trivy is an open-source security utility widely deployed in continuous integration pipelines, container registries, and local developer environments to detect vulnerabilities, secrets, and Infrastructure-as-Code (IaC) misconfigurations. The misconfiguration engine scans Helm chart directories and archived packages to identify security policy violations before deployment. To parse compressed Helm charts, the engine must extract raw file content from the standard tape archive format (.tar) wrapped in GNU zip compression (.tgz).

Prior to version 0.71.0, the package responsible for handling Helm chart archives relied on a custom-built file extraction utility. When traversing a targeted filesystem, directory, or artifact repository, the scanner automatically parsed any identified archive files matching Helm patterns. This automated ingestion of untrusted archives exposes a significant attack surface in continuous integration pipelines, where scans are triggered dynamically on unvetted code submissions.

This behavior exposes the underlying application to several resource management vulnerabilities, classified under CWE-409 (Improper Handling of Highly Compressed Data), CWE-770 (Allocation of Resources Without Limits or Throttling), and CWE-789 (Memory Allocation with Excessive Size Value). A remote attacker can exploit these weaknesses by submitting a crafted Helm archive containing highly compressed files. The resulting processing causes complete failure of the execution pipeline, disrupting developers and automation agents alike.

Root Cause Analysis

The technical root cause of CVE-2026-54448 lies within the legacy archive parsing code located at pkg/iac/scanners/helm/parser/parser_tar.go. When processing a Helm chart archive, the scanner initialized a standard Go *tar.Reader object to iterate through individual entries within the compressed stream. For each regular file entry detected within the archive header, the unpacker attempted to read and write the data directly to a virtual filesystem.

The critical programming error occurred during the reading phase, where the application executed the Go standard library function io.ReadAll(tr) directly on the uncompressed tar reader stream. Go's io.ReadAll function reads from an io.Reader interface until it encounters an End-of-File (EOF) token. Because the raw data size is unknown beforehand, the runtime dynamically allocates and doubles the capacity of an underlying byte slice to accommodate incoming data.

This behavior represents an unbounded allocation flaw. Gzip compression algorithms allow extremely high compression ratios, enabling an attacker to package massive payloads—composed of highly repetitive sequences like null bytes—into a small archive. When the reader transparently inflates this stream, the Go runtime repeatedly performs heap allocations to expand the byte slice. If the expanded content exceeds the available host memory before reaching an EOF marker, the runtime triggers a panic or is forcefully terminated by the kernel's Out-of-Memory (OOM) killer.

Code Analysis

An analysis of the vulnerable source code highlights the risk of reading directly from an untrusted compression stream. In the legacy implementation of parser_tar.go, the application handled standard files without imposing size checks:

// pkg/iac/scanners/helm/parser/parser_tar.go
 
case tar.TypeReg:
    // VULNERABLE: io.ReadAll reads the uncompressed stream until EOF without a size limit
    data, err := io.ReadAll(tr)
    if err != nil {
        return fmt.Errorf("read file: %w", err)
    }
 
    p.logger.Debug("Unpacking tar entry", log.FilePath(targetPath))
    if err := writeFile(targetFS, data, targetPath); err != nil {
        return err
    }

To remediate this, the maintenance team removed parser_tar.go entirely. Instead of attempting to parse archives with a custom loop, they refactored the parent package in pkg/iac/scanners/helm/parser/parser.go to leverage the official Helm SDK archive loader (helm.sh/helm/v4/pkg/chart/loader/archive):

// pkg/iac/scanners/helm/parser/parser.go (Patched)
 
func (p *Parser) ParseArchive(ctx context.Context, fsys fs.FS, archivePath string) ([]Manifest, error) {
	f, err := fsys.Open(archivePath)
	if err != nil {
		return nil, fmt.Errorf("open archive: %w", err)
	}
	defer f.Close()
 
	// SECURE: Offload decompression and extraction logic to the upstream Helm SDK
	files, err := archive.LoadArchiveFiles(f)
	if err != nil {
		return nil, fmt.Errorf("load archive files: %w", err)
	}
 
	for _, file := range files {
		if file.Name == chartutilv2.ChartfileName {
			p.applyChartName(file.Data, "")
			break
		}
	}
 
	return p.render(ctx, files)
}

By utilizing archive.LoadArchiveFiles from the Helm SDK, the system inherits built-in security constraints. The upstream SDK defines hard limits on individual file sizes (for example, limiting metadata and manifest processing to a safe threshold) and restricts overall memory footprints during parsing, preventing decompression bombs from exhausting host resources.

Exploitation and Attack Methodology

To exploit this vulnerability, an attacker must introduce a crafted Helm chart archive into a directory structure or repository that will undergo a Trivy scanning sweep. The exploitation vector does not require privileged administrative access, merely the ability to commit files to a repository or push to a container registry target that triggers automated scanning pipeline tasks.

An attacker can craft a decompression bomb locally using standard Unix command-line utilities. This involves generating a massive sparse file containing repeating data, compressing it to achieve a high compression ratio, and packaging it within a nested structure. When Trivy attempts to evaluate the file, the scanning process crashes immediately. The logical execution flow is illustrated below:

Because the crash occurs prior to the generation of any scanning reports, an attacker can use this technique to block security compliance checks or prevent automated integration pipelines from verifying any code, creating a significant operational barrier.

Impact Assessment

The physical impact of exploitation is localized denial of service (DoS). When Trivy encounters the decompression bomb, the memory usage spikes rapidly, consuming all available space on the heap. In environments where resource boundaries are not enforced, this memory leak can degrade neighboring services running on the same host operating system.

In continuous integration and development settings, pipelines are terminated immediately when the runner process is killed. This breaks development workflows and prevents clean builds from completing. If Trivy is run as an admission controller inside a Kubernetes cluster or as a daemonset scanner, the resulting resource starvation can crash container daemons, potentially leading to cascading node instability.

While there is no confidentiality or integrity impact, the vulnerability presents a low attack complexity. Because no user interaction is required beyond the normal operation of a scanning pipeline, the exploitability remains high. The CVSS metrics evaluate this vulnerability with a base score of 6.5 (Medium), emphasizing the impact on application availability.

Remediation and Verification

The primary remediation strategy is upgrading Trivy to version 0.71.0 or newer. This release replaces the custom archive extraction package with safe library calls. If you use containerized scanning agents, update your dockerfiles and Kubernetes configurations to use official tags representing version 0.71.0 or later.

If immediate software upgrading is impossible, several mitigating actions can limit exposure. You can configure Trivy to explicitly ignore tar and zip archive extensions by appending skip arguments to your runtime execution parameters:

trivy fs --skip-files "**/*.tgz,**/*.tar.gz,**/*.tar" /workspace

Additionally, enforce memory resource limits on the runner environments executing security audits. For instance, running the tool under Docker with memory constraints prevents the process from consuming more than its allocated threshold, isolating the memory impact and protecting the host machine from exhaustion:

docker run --memory="2g" aquasec/trivy:0.70.0 fs /workspace

Official Patches

Aqua SecurityFixing Pull Request #10718

Fix Analysis (1)

Technical Appendix

CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.25%
Top 84% most exploited

Affected Systems

Aqua Security Trivy (versions < 0.71.0)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Trivy
Aqua Security
< 0.71.00.71.0
AttributeDetail
Vulnerability TypeImproper Handling of Highly Compressed Data (CWE-409)
Attack VectorNetwork
Attack ComplexityLow
CVSS v3.1 Base Score6.5 (Medium)
EPSS Score0.0025
KEV StatusNot Listed
Exploit Maturitynone

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-409
Improper Handling of Highly Compressed Data (Decompression Bomb)

The product does not properly handle highly compressed data, such as zip bombs or tar bombs, which can allow an attacker to consume excessive memory or CPU resources, leading to a denial of service.

Vulnerability Timeline

Pull Request #10718 merged to refactor Helm parsing logic
2026-05-27
CVE-2026-54448 officially published to NVD
2026-06-25
Security advisory GHSA-q3fv-x8vg-qqm4 published by Aqua Security
2026-06-25

References & Sources

  • [1]GitHub Security Advisory GHSA-q3fv-x8vg-qqm4
  • [2]Trivy Refactor PR #10718
  • [3]Fixing Commit 441251e51ae46cbcf7f436547e0a5766b25328b4
  • [4]Trivy v0.71.0 Release Notes
  • [5]NVD CVE-2026-54448 Detail

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•35 minutes ago•GHSA-PQG7-V6WH-3PFP
8.5

GHSA-pqg7-v6wh-3pfp: IP Spoofing and Access Control Bypass via HTTP Header Injection in TsDProxy

A high-severity input sanitization and header injection vulnerability in TsDProxy allows authenticated Tailscale users to inject arbitrary values into the X-Forwarded-For and X-Real-IP HTTP headers. Because downstream backend services frequently trust these headers to resolve client identities, attackers can exploit this flaw to bypass IP-based access control lists, audit logs, and geo-blocking restrictions.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 2 hours ago•GHSA-9HC2-HJX8-Q6PV
9.6

GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import

A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.

Alon Barad
Alon Barad
3 views•5 min read
•about 2 hours ago•GHSA-MQXV-9RM6-W8QC
8.7

GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass

A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 3 hours ago•GHSA-HGJX-R89M-M7V4
9.9

GHSA-HGJX-R89M-M7V4: Remote Code Execution via Path Traversal in FacturaScripts

FacturaScripts is an open-source PHP-based enterprise resource planning (ERP) and billing software. A critical path traversal vulnerability in the file-handling logic allows authenticated attackers with file upload permissions to write arbitrary files to any location on the system writable by the web server user. By writing custom server configuration files (.htaccess) to directories excluded from default rewrite rules, attackers can map allowed file types (like .png) to the PHP interpreter, leading to full remote code execution.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 4 hours ago•GHSA-7RX3-5WX3-5V76
7.7

GHSA-7rx3-5wx3-5v76: Missing Authorization in Nebula-mesh Webhook Subscription API Enables Server-Side Request Forgery

Nebula-mesh allows non-admin operators to disable webhook SSRF (Server-Side Request Forgery) protection via the allow_private parameter. Low-privilege operators can configure webhook endpoints targeting internal endpoints and trigger lifecycle events on resources they own, bypassing network access controls.

Amit Schendel
Amit Schendel
6 views•4 min read
•about 4 hours ago•GHSA-Q3V2-XJ35-9GRX
4.9

GHSA-Q3V2-XJ35-9GRX: Unrestricted Configuration Resolution in Umbraco.AI Leads to Sensitive Information Exposure

An information exposure vulnerability exists in Umbraco.AI package versions up to 1.13.0, where an authenticated backoffice user with elevated privileges can resolve and retrieve arbitrary configuration values from the global ASP.NET Core IConfiguration hierarchy.

Alon Barad
Alon Barad
7 views•6 min read