RUSTSEC-2026-0148 OCI layer symlink escape → arbitrary host write

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path e.g. escape - /tmp followed by a file entry that resolves through that symlink e.g...

Symlink Attack

Overview @boxlite-ai/boxlite is a BoxLite - Embeddable micro-VM runtime for secure, isolated code execution Affected versions of this package are vulnerable to Symlink Attack via improper path resolution during extraction of OCI image layer tarballs. An attacker can write arbitrary files to...

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via improper path resolution during extraction of OCI image layer tarballs. An attacker can write arbitrary files to locations outside the intended extraction root by crafting a layer with a symlink pointing to an absolut...

EUVD-2026-20515

A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server...

SUSE CVE-2018-16641

ImageMagick 7.0.8-6 has a memory leak vulnerability in the TIFFWritePhotoshopLayers function in coders/tiff.c...

EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2022-1501)

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In containerd an industry-standard container runtime before version 1.2.14 there is a credential leaking vulnerability. If a container...

QEMU 代码问题漏洞

QEMU Quick Emulator is a set of simulation processor software by Fabrice Bellard, a French individual developer. The software is fast and cross-platform. A code issue vulnerability exists in QEMU versions prior to 6.2.0, which stems from a null pointer dereference issue found in the block image...

Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0 1.10.3 17.03.0 17.03.1 17.03.2 17.06.0 17.06.1 17.06.2 17.09.0 and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload aka gzip bombing.

...

OPENSUSE-SU-2021:0810-1 Security update for singularity

This update for singularity fixes the following issues: singularity was updated to version 3.7.3: - Fix for CVE-2021-29136: A dependency used to extract docker/OCI image layers can be tricked into modifying host files by creating a malicious layer that has a symlink with the name '.' or '/', when...

CVE-2020-15157

In containerd an industry-standard container runtime before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer otherwise known as a “foreign...

CVE-2017-14992

Lack of content verification in Docker-CE Also known as Moby versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing...

CVE-2017-14992

Lack of content verification in Docker-CE Also known as Moby versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing...

UBUNTU-CVE-2017-14992

Lack of content verification in Docker-CE Also known as Moby versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing...

Core Image Fun House <= 2.0 Arbitrary Code Execution PoC (OSX)

No description provided by source. !/usr/bin/ruby Copyright c Netragard, LLC. [email protected] /Developer/Applications/Graphics Tools/Core Image Fun House.app /Contents/MacOS/Core Image Fun House gdb x/10s 0xbfffddf7 0xbfffddf7: 'Z' repeats 101 times, "DCBA center" 2007-07-10 21:15:34.573 Cor...