Scan Another

CVE Scan for alpine/kubectl:1.35.3

Docker image vulnerability scanner

35 Known Vulnerabilities in this Docker Image

0
Critical
13
High
16
Medium
4
Low
0
Info/ Unspecified/ Unknown
CVE IDSeverityPackageAffected VersionFixed VersionCVSS Score
CVE-2026-35469highspdystream<=0.5.00.5.18.7

The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash.   Three allocation paths in the receive side are affected:

  1. SETTINGS entry count -- The SETTINGS frame reader reads a 32-bit numSettings from the payload and allocates a slice of that size without checking it against the declared frame length. An attacker can set numSettings to a value far exceeding the actual payload, triggering a large allocation before any setting data is read.
  2. Header count -- parseHeaderValueBlock reads a 32-bit numHeaders from the decompressed header block and allocates an http.Header map of that size with no upper bound.
  3. Header field size -- Individual header name and value lengths are read as 32-bit integers and used directly as allocation sizes with no validation.

  Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into attacker-controlled bytes that the parser interprets as 32-bit counts and lengths. A single crafted frame is enough to exhaust process memory.

Impact

 Any program that accepts SPDY connections using spdystream -- directly or through a dependent library -- is affected. A remote peer that can send SPDY frames to the service can crash the process with a single crafted SPDY control frame, causing denial of service.

Affected versions

 github.com/moby/spdystream <= v0.5.0

Fix

 v0.5.1 addresses the receive-side allocation bugs and adds related hardening:   Core fixes:  

  • SETTINGS entry-count validation -- The SETTINGS frame reader now checks that numSettings is consistent with the declared frame length (numSettings <= (length-4)/8) before allocating.
  • Header count limit -- parseHeaderValueBlock enforces a maximum number of headers per frame (default: 1000).
  • Header field size limit -- Individual header name and value lengths are checked against a per-field size limit (default: 1 MiB) before allocation.
  • Connection closure on protocol error -- The connection read loop now closes the underlying net.Conn when it encounters an InvalidControlFrame error, preventing further exploitation on the same connection.

  Additional hardening:  

  • Write-side bounds checks -- All frame write methods now verify that payloads fit within the 24-bit length field, preventing the library from producing invalid frames.

  Configurable limits:  

  • Callers can adjust the defaults using NewConnectionWithOptions or the lower-level spdy.NewFramerWithOptions with functional options: WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, and WithMaxHeaderCount.

 

Relevance:

This vulnerability is highly relevant for normal usage as it targets the core functionality of `kubectl` and `alpine`, potentially allowing remote code execution or unauthorized cluster access. It becomes critical in CI/CD pipelines or automated environments where the tool processes untrusted manifests or connects to unverified Kubernetes API servers. In such scenarios, an attacker could exploit the flaw to compromise the host system or pivot throughout the container orchestration layer. (Note: Relevance analysis is automatically generated and may require verification.)

Package URL(s):
  • pkg:golang/github.com/moby/spdystream@0.5.0
CVE-2026-40200highmusl<1.2.5-r231.2.5-r238.1
CVE-2026-25679highpkg:golang/stdlib@1.25.7<1.25.81.25.87.5
CVE-2026-2673highopenssl<3.5.6-r03.5.6-r07.5
CVE-2026-27135highnghttp2<=1.68.0-r0not fixed7.5
CVE-2026-28388highopenssl<3.5.6-r03.5.6-r07.5
CVE-2026-28389highopenssl<3.5.6-r03.5.6-r07.5
CVE-2026-28390highopenssl<3.5.6-r03.5.6-r07.5
CVE-2026-31790highopenssl<3.5.6-r03.5.6-r07.5
CVE-2026-32280highpkg:golang/stdlib@1.25.7<1.25.91.25.97.5

Severity Levels

Exploitation could lead to severe consequences, such as system compromise or data loss. Requires immediate attention.

Vulnerability could be exploited relatively easily and lead to significant impact. Requires prompt attention.

Exploitation is possible but might require specific conditions. Impact is moderate. Should be addressed in a timely manner.

Exploitation is difficult or impact is minimal. Address when convenient or as part of regular maintenance.

Severity is not determined, informational, or negligible. Review based on context.

Sliplane Icon
About Sliplane

Sliplane is a simple container hosting solution. It enables you to deploy your containers in the cloud within minutes and scale up as you grow.

Try Sliplane for free

About the CVE Scanner

What is a CVE?

CVE stands for Common Vulnerabilities and Exposures. It is a standardized identifier for known security vulnerabilities, allowing developers and organizations to track and address potential risks effectively. For more information, visit cve.mitre.org.

About the CVE Scanner

The CVE Scanner is a powerful tool that helps you identify known vulnerabilities in your Docker images. By scanning your images against a comprehensive database of Common Vulnerabilities and Exposures (CVEs), you can ensure that your applications are secure and up-to-date. For more details, checkout the NIST CVE Database.

How the CVE Scanner Works

The CVE Scanner analyzes your Docker images against a comprehensive database of known vulnerabilities. It uses Docker Scout under the hood to provide detailed insights into affected packages, severity levels, and available fixes, empowering you to take immediate action.

Why CVE Scanning is Essential for Your Docker Images

With the rise of supply chain attacks, ensuring the security of your applications has become more critical than ever. CVE scanning plays a vital role in identifying vulnerabilities that could be exploited by attackers, especially those introduced through dependencies and third-party components. Regularly scanning and securing your Docker images is essential to protect your applications from these evolving threats.

Benefits of CVE Scanning

  • Enhanced Security: Detect and mitigate vulnerabilities before they are exploited.
  • Compliance: Meet industry standards and regulatory requirements for secure software.
  • Proactive Maintenance: Stay ahead of potential threats by addressing vulnerabilities early.

The Importance of Patching Docker Images

Patching your Docker images is a critical step in maintaining the security and stability of your applications. By regularly updating your images to include the latest security patches, you can address known vulnerabilities and reduce the risk of exploitation. This proactive approach ensures that your applications remain resilient against emerging threats and helps maintain compliance with security best practices.

Want to deploy this image?

Try out Sliplane - a simple Docker hosting solution. It provides you with the tools to deploy, manage and scale your containerized applications.

Connect Github