Snyk - Open Source Security

Snyk test report

July 5th 2026, 12:47:03 am (UTC+00:00)

Scanned the following paths:
  • quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd/Dockerfile (deb)
  • quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
  • quay.io/argoproj/argocd:v3.5.0-rc2//usr/local/bin/git-lfs (gomodules)
  • quay.io/argoproj/argocd:v3.5.0-rc2//usr/local/bin/kustomize (gomodules)
  • quay.io/argoproj/argocd:v3.5.0-rc2/helm/v4//usr/local/bin/helm (gomodules)
  • quay.io/argoproj/argocd:v3.5.0-rc2/canonical/pebble//usr/bin/pebble (gomodules)
27 known vulnerabilities
61 vulnerable dependency paths
2498 dependencies

Improper Authentication

critical severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2 /usr/local/bin/git-lfs
  • Package Manager: golang
  • Vulnerable module: golang.org/x/net/idna
  • Introduced through: go-distribution@command-line-arguments@* and golang.org/x/net/idna@v0.38.0

Detailed paths

  • Introduced through: go-distribution@command-line-arguments@* golang.org/x/net/idna@v0.38.0

Overview

Affected versions of this package are vulnerable to Improper Authentication via the ToASCII and ToUnicode functions. An attacker can bypass hostname validation by submitting Punycode-encoded labels that decode to ASCII-only labels, potentially leading to privilege escalation in applications that rely on these functions for security checks.

Note: The fix depends on the Go toolchain in use having Unicode version 16 or later, which is planned for the 1.27 release.

Remediation

Upgrade golang.org/x/net/idna to version 0.54.0 or higher.

References


Infinite loop

high severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2 /usr/local/bin/git-lfs
  • Package Manager: golang
  • Vulnerable module: golang.org/x/net/http2
  • Introduced through: go-distribution@command-line-arguments@* and golang.org/x/net/http2@v0.38.0

Detailed paths

  • Introduced through: go-distribution@command-line-arguments@* golang.org/x/net/http2@v0.38.0

Overview

golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.

Affected versions of this package are vulnerable to Infinite loop.

Go Vulnerability Report:

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Remediation

Upgrade golang.org/x/net/http2 to version 0.53.0 or higher.

References


Authentication Bypass

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: util-linux/libblkid1
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and util-linux/libblkid1@2.41.3-3ubuntu2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/libblkid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 e2fsprogs@1.47.2-3ubuntu4 util-linux/libblkid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/libmount1@2.41.3-3ubuntu2 util-linux/libblkid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux@2.41.3-3ubuntu2 util-linux/libblkid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/mount@2.41.3-3ubuntu2 util-linux/libblkid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/libuuid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 e2fsprogs@1.47.2-3ubuntu4 util-linux/libuuid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux@2.41.3-3ubuntu2 util-linux/libuuid1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/libmount1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux@2.41.3-3ubuntu2 util-linux/libmount1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/mount@2.41.3-3ubuntu2 util-linux/libmount1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/libsmartcols1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux@2.41.3-3ubuntu2 util-linux/libsmartcols1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/mount@2.41.3-3ubuntu2 util-linux/libsmartcols1@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux@2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/bsdutils@1:2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/login@1:4.16.0-2+really2.41.3-3ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 util-linux/mount@2.41.3-3ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in util-linux. Improper hostname canonicalization in the login(1) utility, when invoked with the -h option, can modify the supplied remote hostname before setting PAM_RHOST. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified domain names. This could lead to unauthorized access.

Remediation

There is no fixed version for Ubuntu:26.04 util-linux.

References


Directory Traversal

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: tar
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and tar@1.35+dfsg-4ubuntu0.1

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 tar@1.35+dfsg-4ubuntu0.1
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 dpkg@1.23.7ubuntu1 tar@1.35+dfsg-4ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:26.04 tar.

References


CVE-2026-35357

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions (e.g., 0644) before being restricted to their final mode (e.g., 0600) later in the process. A local attacker can race to open the file during this window; once obtained, the file descriptor remains valid and readable even after the permissions are tightened, exposing sensitive or private file contents.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35373

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms (e.g., ln SOURCE... DIRECTORY). While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation enforces UTF-8 encoding, resulting in a failure to stat the file and a non-zero exit code. In environments where automated scripts or system tasks process valid but non-UTF-8 filenames common on Unix filesystems, this divergence causes the utility to fail, leading to a local denial of service for those specific operations.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35367

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The nohup utility in uutils coreutils creates its default output file, nohup.out, without specifying explicit restricted permissions. This causes the file to inherit umask-based permissions, typically resulting in a world-readable file (0644). In multi-user environments, this allows any user on the system to read the captured stdout/stderr output of a command, potentially exposing sensitive information. This behavior diverges from GNU coreutils, which creates nohup.out with owner-only (0600) permissions.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35348

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect(), causing an immediate crash when encountering valid but non-UTF-8 paths. This diverges from GNU sort, which treats filenames as raw bytes. A local attacker can exploit this to crash the utility and disrupt automated pipelines.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35364

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mv utility of uutils coreutils during cross-device operations. The utility removes the destination path before recreating it through a copy operation. A local attacker with write access to the destination directory can exploit this window to replace the destination with a symbolic link. The subsequent privileged move operation will follow the symlink, allowing the attacker to redirect the write and overwrite an arbitrary target file with contents from the source.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35360

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create(), which internally uses O_TRUNC. An attacker can exploit this window to create a file or swap a symlink at the target path, causing touch to truncate an existing file and leading to permanent data loss.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


CVE-2026-35352

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: rust-coreutils
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and rust-coreutils@0.8.0-0ubuntu3

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 rust-coreutils@0.8.0-0ubuntu3
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu25 coreutils-from/coreutils-from-uutils@0.0.0~ubuntu25 rust-coreutils@0.8.0-0ubuntu3

NVD Description

Note: Versions mentioned in the description apply only to the upstream rust-coreutils package and not the rust-coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A Time-of-Check to Time-of-Use (TOCTOU) race condition exists in the mkfifo utility of uutils coreutils. The utility creates a FIFO and then performs a path-based chmod to set permissions. A local attacker with write access to the parent directory can swap the newly created FIFO for a symbolic link between these two operations. This redirects the chmod call to an arbitrary file, potentially enabling privilege escalation if the utility is run with elevated privileges.

Remediation

There is no fixed version for Ubuntu:26.04 rust-coreutils.

References


Uncontrolled Recursion

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: p11-kit/libp11-kit0
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2 gnutls28/libgnutls30t64@3.8.12-2ubuntu1.1 p11-kit/libp11-kit0@0.26.2-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream p11-kit package and not the p11-kit package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.

Remediation

There is no fixed version for Ubuntu:26.04 p11-kit.

References


HTTP Request Smuggling

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: nghttp2/libnghttp2-14
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2 nghttp2/libnghttp2-14@1.68.0-2ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.

Remediation

Upgrade Ubuntu:26.04 nghttp2 to version 1.68.0-2ubuntu0.2 or higher.

References


CVE-2026-4438

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: glibc/libc-bin
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and glibc/libc-bin@2.43-2ubuntu2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-bin@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-gconv-modules-extra@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc6@2.43-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References


CVE-2026-4046

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: glibc/libc-bin
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and glibc/libc-bin@2.43-2ubuntu2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-bin@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-gconv-modules-extra@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc6@2.43-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References


CVE-2026-6238

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: glibc/libc-bin
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and glibc/libc-bin@2.43-2ubuntu2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-bin@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-gconv-modules-extra@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc6@2.43-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References


CVE-2026-5435

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: glibc/libc-bin
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 and glibc/libc-bin@2.43-2ubuntu2

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-bin@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc-gconv-modules-extra@2.43-2ubuntu2
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 glibc/libc6@2.43-2ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for Ubuntu:26.04 glibc.

References


Improper Validation of Specified Type of Input

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argo-cd/v3 /usr/local/bin/argocd
  • Package Manager: golang
  • Vulnerable module: github.com/vmihailenco/msgpack/v5
  • Introduced through: github.com/argoproj/argo-cd/v3@* and github.com/vmihailenco/msgpack/v5@v5.4.1

Detailed paths

  • Introduced through: github.com/argoproj/argo-cd/v3@* github.com/vmihailenco/msgpack/v5@v5.4.1

Overview

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the calls plugin when handling websocket messages containing malformed msgpack frames. An attacker can cause the server to consume excessive memory and crash by sending specially crafted websocket requests.

Remediation

There is no fixed version for github.com/vmihailenco/msgpack/v5.

References


Algorithmic Complexity

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: expat/libexpat1
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 expat/libexpat1@2.7.4-1

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:26.04 expat.

References


CVE-2026-11856

medium severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

Successfully using libcurl to do a transfer to a specific HTTP origin (hostA) with Digest authentication and then changing the origin to a different one (hostB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Authorization: header field meant for hostA, to hostB.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


Stack-based Buffer Overflow

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: gnutls28/libgnutls30t64
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2 gnutls28/libgnutls30t64@3.8.12-2ubuntu1.1
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2 rtmpdump/librtmp1@2.4+20151223.gitfa8646d.1-3 gnutls28/libgnutls30t64@3.8.12-2ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Remediation

There is no fixed version for Ubuntu:26.04 gnutls28.

References


CVE-2026-11564

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.

An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


CVE-2026-12064

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


CVE-2026-11352

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


CVE-2026-10536

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via CURLOPT_STREAM_DEPENDS or CURLOPT_STREAM_DEPENDS_E, subsequently invokes curl_easy_reset(), and finally terminates the handle with curl_easy_cleanup(). During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


CVE-2026-8932

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References


CVE-2026-11586

low severity
Exploit: Not Defined

  • Manifest file: quay.io/argoproj/argocd:v3.5.0-rc2/argoproj/argocd Dockerfile
  • Package Manager: ubuntu:26.04
  • Vulnerable module: curl/libcurl3t64-gnutls
  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2, git@1:2.53.0-1ubuntu1 and others

Detailed paths

  • Introduced through: docker-image|quay.io/argoproj/argocd@v3.5.0-rc2 git@1:2.53.0-1ubuntu1 curl/libcurl3t64-gnutls@8.18.0-1ubuntu2.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:26.04 relevant fixed versions and status.

By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.

Remediation

There is no fixed version for Ubuntu:26.04 curl.

References