DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54448: CVE-2026-54448: Denial of Service in Trivy Helm Chart Parser via Decompression Bomb

CVE-2026-54448: Denial of Service in Trivy Helm Chart Parser via Decompression Bomb

Vulnerability ID: CVE-2026-54448
CVSS Score: 6.5
Published: 2026-07-14

CVE-2026-54448 is a critical denial of service vulnerability in Trivy's Infrastructure-as-Code (IaC) misconfiguration scanning engine. Prior to version 0.71.0, Trivy utilized a custom archive parser to unpack Helm chart tarballs (.tgz) during automated scans. This custom implementation iterated through compressed files and loaded their entire raw contents into system memory using the io.ReadAll function without implementing size limits or threshold checks, enabling an attacker to trigger an immediate heap-allocation crash or system Out-of-Memory (OOM) termination using a decompression bomb.

TL;DR

Trivy versions prior to 0.71.0 are vulnerable to Denial of Service (DoS) via decompression bombs. The custom Helm chart unpacker uses unbounded memory reads, allowing small malicious archives to exhaust host memory and crash the scanner process.


Technical Details

  • Vulnerability Type: Improper Handling of Highly Compressed Data (CWE-409)
  • Attack Vector: Network
  • Attack Complexity: Low
  • CVSS v3.1 Base Score: 6.5 (Medium)
  • EPSS Score: 0.0025
  • KEV Status: Not Listed
  • Exploit Maturity: none

Affected Systems

  • Aqua Security Trivy (versions < 0.71.0)
  • Trivy: < 0.71.0 (Fixed in: 0.71.0)

Code Analysis

Commit: 441251e

refactor(misconf): replace custom Helm archive parsing with Helm SDK loaders

Mitigation Strategies

  • Upgrade Trivy command-line installations and container images to version 0.71.0 or higher.
  • Skip processing of compressed archives using the --skip-files or --skip-dirs arguments.
  • Enforce strict control group (cgroups) or container-level memory limits on scan runners to prevent host memory depletion.

Remediation Steps:

  1. Determine current Trivy versions active across local environments and deployment pipelines by executing 'trivy --version'.
  2. Update central CI/CD template files and workflow configurations to explicitly require aquasec/trivy:0.71.0 or newer.
  3. For legacy setups where upgrades are blocked, configure the '--skip-files' parameter to bypass .tgz and .tar files during scanning.

References


Read the full report for CVE-2026-54448 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)