CVE Catalog

CVE-2026-54448

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Trivy before version 0.71.0, when scanning Helm chart archives (.tgz), uses a custom tar unpacker that reads each entry with io.ReadAll(tr) without size limit. An attacker can place a malicious .tgz file in the scanned path that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

Risk Assessment

The risk is a denial of service (DoS) attack on the Trivy scanner, which can prevent container image scanning and vulnerability detection in CI/CD or production environments.

Recommendation

Immediately update Trivy to version 0.71.0 or later, which includes a fix that limits the size of data read during tar archive extraction.

Original NVD description (English source)

Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS