EUVD-2026-24031

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction DoS...

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

Summary ExtractPluginFromImage in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's...

CVE-2026-39396

A flaw was found in OpenBao. An attacker who controls or compromises the Open Container Initiative OCI registry can exploit a vulnerability in OpenBao's OCI plugin downloader. By serving a specially crafted container image, the attacker can cause the system to decompress an arbitrarily large file...

SUSE CVE-2026-39396

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, ExtractPluginFromImage in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. ...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ExtractPluginFromImage function. An attacker can cause disk exhaustion by supplying a crafted container image containing a decompression bomb, which decompresses to an arbitrarily large file during plugin...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ExtractPluginFromImage function. An attacker can cause disk exhaustion by supplying a crafted container image containing a decompression bomb, which decompresses to an arbitrarily large file during plugin...

CVE-2026-39396

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, ExtractPluginFromImage in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. ...

CVE-2026-39396

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, ExtractPluginFromImage in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. ...

OpenBao 安全漏洞

OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 contained security vulnerabilities. These vulnerabilities stemmed from the ExtractPluginFromImage function in the OCI plugin downloader, which did not limit the number of bytes...

PT-2026-33882

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description The OCI plugin downloader contains an issue in the ExtractPluginFromImage function where plugin binaries are extracted from container images by streaming decompressed tar data via io.Copy without a...

PT-2026-34181

A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log login of the file core/src/main/java/com/publiccms/controller/admin/LoginAdminController.java of the component Failed Login Handler. This manipulation of the argument errorPassword causes cleartext...

Unity Linux 20.1050a Security Update: kernel (UTSA-2026-007013)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007013 advisory. In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA aka ENOATTR has a very specifi...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013002)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013002 advisory. In the Linux kernel, the following vulnerability has been resolved: bfs: Reconstruct file type when loading from disk syzbot is reporting that SIFMT bits of...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013044)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013044 advisory. In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011036)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011036 advisory. In the Linux kernel, the following vulnerability has been resolved: md: raid1: fix potential OOB in raid1removedisk If rddev-raiddisk is greater than mddev-raiddisks...

Unity Linux 20.1050e / 20.1070e Security Update: kernel (UTSA-2026-011388)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011388 advisory. In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-006910)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006910 advisory. In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds/overflow in nilfssb2badoffset Patch series nilfs2: fix UBSAN...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-010748)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010748 advisory. In the Linux kernel, the following vulnerability has been resolved: blk-mq: cancel blk-mq dispatch work in both blkcleanupqueue and diskrelease For avoiding to slow...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-010811)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010811 advisory. In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdxraid1 thread when raid1 array run failed fail run raid1 array when we assemble...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-013125)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013125 advisory. In the Linux kernel, the following vulnerability has been resolved: md/raid1: stop mdxraid1 thread when raid1 array run failed fail run raid1 array when we assemble...