Anchore Syft is a widely used CLI tool and Go library designed to generate Software Bill of Materials (SBOM) from container images and filesystems. In versions before 1.42.3, Syft unpacks scanned archives into temporary storage to analyze their contents. During scanning, if the temporary storage becomes fully consumed—such as when processing very large files or highly compressed artifacts like zip bombs—Syft raises an error and exits. However, due to improper exception handling (classified as CWE-460: Improper Cleanup on Thrown Exception), Syft fails to remove the temporary files it created before exiting. This results in leftover temporary data that continues to consume storage space. Over time, this accumulation can exhaust the temporary storage partition, preventing Syft and other system utilities that depend on temporary storage from functioning correctly. The vulnerability does not expose confidential data or allow integrity compromise but impacts system availability by causing resource exhaustion. The issue requires no privileges or user interaction to exploit, making it relatively easy to trigger if malicious or malformed inputs are scanned. The vendor released a patch in version 1.42.3 that ensures temporary files are cleaned up even when errors occur during scanning. No known exploits are reported in the wild, but the vulnerability poses a risk to environments that use Syft extensively for SBOM generation, especially with large or suspicious artifacts.

The primary impact of CVE-2026-33481 is on system availability. Organizations relying on Syft for SBOM generation may experience denial of service conditions on the host system due to exhaustion of temporary storage. This can halt not only Syft scans but also other critical system processes and utilities that require temporary storage, potentially disrupting CI/CD pipelines, vulnerability management workflows, and compliance auditing processes. While the vulnerability does not compromise confidentiality or integrity, the operational disruption can delay security assessments and software supply chain transparency efforts. Environments processing large container images, archives, or untrusted compressed files are particularly at risk. Persistent depletion of temporary storage may require manual intervention to clear files, increasing operational overhead and risk of downtime. Although no exploits are currently known in the wild, attackers could leverage this vulnerability to cause resource exhaustion as part of a denial-of-service attack against development or security infrastructure.

To mitigate this vulnerability, organizations should upgrade Anchore Syft to version 1.42.3 or later, where proper cleanup of temporary files on error conditions is implemented. Until upgrading, users should monitor the usage of temporary storage partitions closely, especially when scanning large or highly compressed artifacts. Implement automated cleanup scripts or scheduled jobs to remove stale temporary files created by Syft scans to prevent storage exhaustion. Limit the size and type of artifacts scanned by Syft by applying input validation or pre-scanning filters to avoid processing zip bombs or unusually large archives. Consider isolating Syft scans in containerized or sandboxed environments with dedicated temporary storage quotas to contain potential resource exhaustion. Additionally, integrate monitoring and alerting on temporary storage utilization to detect abnormal growth early. Educate users and administrators about the risk of scanning untrusted or malformed archives that could trigger this issue. Finally, review and improve exception handling and resource cleanup policies in custom integrations or automation that invoke Syft.