Fluid Attacks Database

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	bootc-image-builder-9-7	-	-
rpm rhel8	conmon	-	-
rpm rhel9	osbuild-composer	-	-
rpm rhel9	weldr-client	-	-
rpm rhel10	image-builder	-	-
rpm rhel9	grafana	-	-
rpm rhel10	bootc-image-builder-10-1	-	-
rpm rhel8	buildah	-	-
debian 13	golang-1.24	=1.24.12-1 \|\| =1.24.13-1 \|\| =1.24.13-2 \|\| =1.24.4-1 \|\| =1.24.4-2 \|\| =1.24.4-3 \|\| =1.24.4-4 \|\| =1.24.7-1 \|\| =1.24.8-1 \|\| =1.24.9-1	-
go	stdlib	>=0 <1.25.9	1.25.9

1-10 of 36

Aliases

1. CVE-2026-322882. NVD-2026-322883. OSV-2026-322884. OSV-DEBIAN-2026-322885. OSV-GO-2026-48696. GCVE-2026-322887. SECURITY-TRACKER-CVE-2026-32288

References

1. https://go.dev/cl/7637662. https://go.dev/issue/783013. https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.