DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39396: CVE-2026-39396: Resource Exhaustion via Decompression Bomb in OpenBao OCI Plugin Downloader

#security #cve #cybersecurity

CVE-2026-39396: Resource Exhaustion via Decompression Bomb in OpenBao OCI Plugin Downloader

Vulnerability ID: CVE-2026-39396
CVSS Score: 3.1
Published: 2026-04-21

OpenBao versions prior to 2.5.3 are vulnerable to a resource exhaustion denial-of-service (DoS) flaw due to unbounded disk writes during OCI plugin extraction. A crafted container image served from a compromised registry acts as a decompression bomb, exhausting host disk space when OpenBao streams the data directly to disk without enforcing size limits.

TL;DR

Unbounded io.Copy operations in OpenBao's OCI plugin extraction allow decompression bombs to exhaust host disk space. The flaw was remediated in version 2.5.3 by implementing io.LimitReader and strict extraction size validations.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 / CWE-770
  • Attack Vector: Network (Via Registry)
  • CVSS Score: 3.1 (Low)
  • EPSS Score: 0.00033
  • Impact: Denial of Service (Disk Exhaustion)
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • OpenBao OCI Plugin Downloader (< 2.5.3)
  • OpenBao: < 2.5.3 (Fixed in: 2.5.3)

Code Analysis

Commit: af576af

Fix decompression bomb vulnerability in plugin OCI extraction by implementing io.LimitReader and size constraints.

Mitigation Strategies

  • Upgrade OpenBao to version 2.5.3 or later to inherit the io.LimitReader extraction protections.
  • Configure the plugin_download_max_size parameter in the server settings to enforce a strict upper limit on plugin binaries.
  • Restrict OpenBao's OCI plugin downloader functionality to interface solely with trusted, internally controlled container registries.
  • Implement persistent volume isolation for OpenBao cache directories to prevent cache exhaustion from impacting system-critical disk partitions.

Remediation Steps:

  1. Verify the current OpenBao version utilizing the administrative command line interface.
  2. Download the verified OpenBao 2.5.3 binary from the official release repository.
  3. Update the primary server configuration file to include an explicit plugin_download_max_size attribute tailored to operational requirements.
  4. Restart the OpenBao service to apply the updated binary and configuration constraints.
  5. Monitor application logs post-deployment for file size was different than reported in tar header errors indicating rejected payloads.

References

Read the full report for CVE-2026-39396 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)