CVE-2026-54448: CWE-770: Allocation of Resources Without Limits or Throttling in aquasecurity trivy
Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.
AI Analysis
Technical Summary
CVE-2026-54448 describes a resource exhaustion vulnerability in aquasecurity's Trivy scanner before version 0.71.0. When scanning Helm chart archives (.tgz), Trivy's custom tar unpacker uses io.ReadAll(tr) without imposing size limits on decompressed entries. An attacker able to supply a malicious .tgz file can cause Trivy to decompress a small archive into gigabytes of data, leading to excessive memory consumption and process termination by the OS OOM killer. This vulnerability is addressed in Trivy 0.71.0.
Potential Impact
The vulnerability allows an attacker to cause a denial of service by exhausting system memory during Trivy's scanning process, resulting in the Trivy process being killed by the operating system. There is no indication of code execution or data corruption. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade Trivy to version 0.71.0 or later, where this issue is fixed by imposing limits on the size of decompressed tar entries. Until upgraded, avoid scanning untrusted Helm chart archives to prevent potential resource exhaustion.
CVE-2026-54448: CWE-770: Allocation of Resources Without Limits or Throttling in aquasecurity trivy
Description
Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.
CVSS v4.0
Score 6.9medium
Affected software
pkg:github/aquasecurity/trivyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54448 describes a resource exhaustion vulnerability in aquasecurity's Trivy scanner before version 0.71.0. When scanning Helm chart archives (.tgz), Trivy's custom tar unpacker uses io.ReadAll(tr) without imposing size limits on decompressed entries. An attacker able to supply a malicious .tgz file can cause Trivy to decompress a small archive into gigabytes of data, leading to excessive memory consumption and process termination by the OS OOM killer. This vulnerability is addressed in Trivy 0.71.0.
Potential Impact
The vulnerability allows an attacker to cause a denial of service by exhausting system memory during Trivy's scanning process, resulting in the Trivy process being killed by the operating system. There is no indication of code execution or data corruption. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade Trivy to version 0.71.0 or later, where this issue is fixed by imposing limits on the size of decompressed tar entries. Until upgraded, avoid scanning untrusted Helm chart archives to prevent potential resource exhaustion.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-15T15:30:40.317Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d5b514853345fc13372be
Added to database: 06/25/2026, 16:46:09 UTC
Last enriched: 06/25/2026, 17:02:09 UTC
Last updated: 06/25/2026, 20:13:20 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.