Fluid Attacks Database

Description

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	docker-registry	=2.8.2+ds1-1 \|\| =2.8.3+ds1-1 \|\| =2.8.3+ds1-2	-
go	github.com/distribution/distribution/v3	>=0 <3.1.0	3.1.0
go	github.com/distribution/distribution	>=0 <=2.8.3	-
debian 13	docker-registry	=2.8.3+ds1-2	-
debian 14	docker-registry	=2.8.3+ds1-2	-
debian 11	docker-registry	=2.7.1+ds2-7 \|\| =2.7.1+ds2-7+deb11u1 \|\| =2.8.0+ds1-1 \|\| =2.8.0+ds1-2 \|\| =2.8.0+ds1-3 \|\| =2.8.0+ds1-4 \|\| =2.8.1+ds1-1 \|\| =2.8.1+ds1-2 \|\| =2.8.2+ds1-1 \|\| =2.8.3+ds1-1 \|\| =2.8.3+ds1-2	-

Aliases

1. CVE-2026-351722. NVD-2026-351723. OSV-DEBIAN-2026-351724. OSV-2026-351725. GHSA-f2g3-hh2r-cwgc6. GCVE-2026-351727. SECURITY-TRACKER-CVE-2026-35172

References

1. https://github.com/distribution/distribution/security/advisories/GHSA-f2g3-hh2r-cwgc2. https://github.com/distribution/distribution/commit/078b0783f239b4115d1a979e66f08832084e9d1d