Snyk test report
- quay.io/argoproj/argocd:latest/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:latest//usr/local/bin/git-lfs (gomodules)
- quay.io/argoproj/argocd:latest//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:latest/helm/v4//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:latest/canonical/pebble//usr/bin/pebble (gomodules)
Improper Authentication
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Authentication via the ToASCII and ToUnicode functions. An attacker can bypass hostname validation by submitting Punycode-encoded labels that decode to ASCII-only labels, potentially leading to privilege escalation in applications that rely on these functions for security checks.
Note: The fix depends on the Go toolchain in use having Unicode version 16 or later, which is planned for the 1.27 release.
Remediation
Upgrade golang.org/x/net/idna to version 0.54.0 or higher.
References
Infinite loop
Detailed paths
Overview
golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Infinite loop.
Go Vulnerability Report:
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Remediation
Upgrade golang.org/x/net/http2 to version 0.53.0 or higher.
References
Authentication Bypass
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.
Remediation
There is no fixed version for Ubuntu:26.04 util-linux.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3184
- https://access.redhat.com/errata/RHSA-2026:7180
- https://access.redhat.com/security/cve/CVE-2026-3184
- https://bugzilla.redhat.com/show_bug.cgi?id=2442570
Directory Traversal
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
Remediation
There is no fixed version for Ubuntu:26.04 tar.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
- https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://www.gnu.org/software/tar/
- https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
- https://www.gnu.org/software/tar/manual/html_node/Integrity.html
- https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
- http://www.openwall.com/lists/oss-security/2025/11/01/6
CVE-2026-35357
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35357
- https://github.com/uutils/coreutils/issues/10011
CVE-2026-35373
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35373
- https://github.com/uutils/coreutils/pull/11403
CVE-2026-35367
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35367
- https://github.com/uutils/coreutils/issues/10021
CVE-2026-35348
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35348
- https://github.com/uutils/coreutils/issues/9696
CVE-2026-35364
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35364
- https://github.com/uutils/coreutils/issues/10015
CVE-2026-35360
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35360
- https://github.com/uutils/coreutils/issues/10019
CVE-2026-35352
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.
Remediation
There is no fixed version for Ubuntu:26.04 rust-coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-35352
- http://www.openwall.com/lists/oss-security/2026/05/04/4
- http://www.openwall.com/lists/oss-security/2026/05/04/5
- http://www.openwall.com/lists/oss-security/2026/05/04/6
- https://github.com/uutils/coreutils/issues/10020
Uncontrolled Recursion
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream p11-kit package and not the p11-kit package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.
Remediation
There is no fixed version for Ubuntu:26.04 p11-kit.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-13757
- https://access.redhat.com/security/cve/CVE-2026-13757
- https://bugzilla.redhat.com/show_bug.cgi?id=2494556
CVE-2026-4438
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
Remediation
There is no fixed version for Ubuntu:26.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4438
- https://sourceware.org/bugzilla/show_bug.cgi?id=34015
CVE-2026-4046
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.
This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
Remediation
There is no fixed version for Ubuntu:26.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-4046
- https://sourceware.org/bugzilla/show_bug.cgi?id=33980
- https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
- https://inbox.sourceware.org/libc-announce/76814edf-cf7f-47ec-979d-2dce0a2c76bf@gotplt.org/T/#u
CVE-2026-6238
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.
These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
Remediation
There is no fixed version for Ubuntu:26.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-6238
- https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
- https://sourceware.org/bugzilla/show_bug.cgi?id=34069
CVE-2026-5435
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.
Remediation
There is no fixed version for Ubuntu:26.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-5435
- https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u
- https://sourceware.org/bugzilla/show_bug.cgi?id=34033
Improper Validation of Specified Type of Input
Detailed paths
Overview
Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.
Remediation
There is no fixed version for github.com/vmihailenco/msgpack/v5.
References
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Remediation
There is no fixed version for Ubuntu:26.04 expat.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
- https://github.com/libexpat/libexpat/issues/1076
- http://www.openwall.com/lists/oss-security/2025/12/02/1
- https://cert-portal.siemens.com/productcert/html/ssa-082556.html
- https://cert-portal.siemens.com/productcert/html/ssa-253495.html
CVE-2026-11856
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
Successfully using libcurl to do a transfer to a specific HTTP origin
(hostA) with Digest authentication and then changing the origin to a
different one (hostB) for a second transfer, reusing the same handle, makes
libcurl wrongly pass on the Authorization: header field meant for hostA,
to hostB.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-11856
- https://curl.se/docs/CVE-2026-11856.html
- https://curl.se/docs/CVE-2026-11856.json
- https://hackerone.com/reports/3793260
Stack-based Buffer Overflow
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.
Remediation
There is no fixed version for Ubuntu:26.04 gnutls28.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9820
- https://access.redhat.com/security/cve/CVE-2025-9820
- https://bugzilla.redhat.com/show_bug.cgi?id=2392528
- https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5
- https://gitlab.com/gnutls/gnutls/-/issues/1732
- https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18
- http://www.openwall.com/lists/oss-security/2025/11/20/2
- https://access.redhat.com/errata/RHSA-2026:3477
- https://access.redhat.com/errata/RHSA-2026:4188
- https://access.redhat.com/errata/RHSA-2026:4655
- https://access.redhat.com/errata/RHSA-2026:4943
- https://access.redhat.com/errata/RHSA-2026:5585
- https://access.redhat.com/errata/RHSA-2026:5606
- https://access.redhat.com/errata/RHSA-2026:7329
- https://access.redhat.com/errata/RHSA-2026:7477
- https://access.redhat.com/errata/RHSA-2026:13812
- https://cert-portal.siemens.com/productcert/html/ssa-032379.html
CVE-2026-11564
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.
An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-11564
- https://curl.se/docs/CVE-2026-11564.html
- https://curl.se/docs/CVE-2026-11564.json
- https://hackerone.com/reports/3788984
CVE-2026-12064
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
When a user invokes curl using a schemeless URL combined with
--proto-default sftp (or scp), a disconnect occurs between the tool layer
and libcurl. The tool layer incorrectly infers the URL scheme, which
erroneously bypasses the initialization of critical SSH security options like
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the
libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes
the connection via SFTP/SCP as specified. Because the tool layer skipped the
security configuration, these SSH host verification options are silently
omitted, causing curl to connect to an unverified SSH remote host without
throwing an error.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-12064
- https://curl.se/docs/CVE-2026-12064.html
- https://curl.se/docs/CVE-2026-12064.json
- https://hackerone.com/reports/3797526
CVE-2026-11352
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-11352
- https://curl.se/docs/CVE-2026-11352.html
- https://curl.se/docs/CVE-2026-11352.json
- https://hackerone.com/reports/3783438
CVE-2026-10536
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
A use-after-free vulnerability exists in libcurl when an application
configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or
CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and
finally terminates the handle with curl_easy_cleanup(). During this final
cleanup phase, libcurl attempts to access and modify an internal structure
that was already freed during the reset operation.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-10536
- https://curl.se/docs/CVE-2026-10536.html
- https://curl.se/docs/CVE-2026-10536.json
- https://hackerone.com/reports/3751697
CVE-2026-8932
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-8932
- https://curl.se/docs/CVE-2026-8932.html
- https://curl.se/docs/CVE-2026-8932.json
- https://hackerone.com/reports/3733910
CVE-2026-11586
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:26.04 relevant fixed versions and status.
By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.
Remediation
There is no fixed version for Ubuntu:26.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-11586
- https://curl.se/docs/CVE-2026-11586.html
- https://curl.se/docs/CVE-2026-11586.json
- https://hackerone.com/reports/3788931