Trivy, Helm Chart Tar Bomb Denial-of-Service, CVE-2026-54448 (Medium) -DC-Jul2026-990

Listen to this Post

How CVE-2026-54448 Works

Trivy is a comprehensive security scanner maintained by Aqua Security. Prior to version 0.71.0, when Trivy scanned a Helm chart archive (.tgz) as part of misconfiguration scanning, it relied on a custom tar unpacker that processed each archive entry using `io.ReadAll(tr)` without imposing any size limits on decompressed data.
This implementation flaw creates a classic “zip bomb” / “tar bomb” vulnerability. An attacker can craft a malicious Helm chart archive that is small in compressed size but expands to gigabytes—or even terabytes—when decompressed. Because the unpacker reads every entry completely into memory via io.ReadAll(), the decompressed data accumulates in the Trivy process’s memory space until the host’s available RAM is exhausted.
The attack requires the attacker to place the malicious `.tgz` file in a location that Trivy will scan as a Helm chart. This can occur in several realistic scenarios:
– A CI pipeline running `trivy config .` on a repository where a contributor submits a pull request containing a crafted chart archive.
– A pipeline scanning a container image with --scanners misconf, where the build context includes untrusted `.tgz` files.
– Any filesystem scan where `–scanners misconf` is explicitly enabled and a crafted Helm chart is present in the scanned directory.
When the OOM (Out-Of-Memory) condition is triggered, the OS kernel’s OOM killer terminates the Trivy process. In CI environments, this results in a denial-of-service: the scan fails, the pipeline is blocked, and repeated submissions can re-trigger the same condition, potentially incurring additional cloud CI runner costs. There is no impact on confidentiality or integrity of the scanned system.
The vulnerability was addressed in Trivy v0.71.0 by replacing the custom tar unpacker with `archive.LoadArchiveFiles` from the official `helm.sh/helm/v4` SDK, which enforces per-entry and total size limits and validates archive structure.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Trivy (aquasecurity) |

| Version | < 0.71.0 |

| Vulnerability | Unbounded memory allocation (CWE-770) |

| Severity | MEDIUM (CVSS 6.5) |

| Date | 2026-06-25 |

| Prediction | Patch already released (v0.71.0) |

What Undercode Say: Analytics

Affected Scan Commands

| Command | Condition |

||–|

| `trivy config

` | Directory contains crafted `.tgz` Helm chart (misconf scanning always enabled) |
| `trivy filesystem –scanners misconf ` | Directory contains crafted `.tgz` and `–scanners misconf` enabled |
| `trivy image –scanners misconf ` | Image contains crafted `.tgz` and `–scanners misconf` enabled |

Vulnerability Metrics

| Metric | Value |

|–|-|

| CVE ID | CVE-2026-54448 |

| CVSS 3.1 Base Score | 6.5 (MEDIUM) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |

| CVSS 4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |

| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| CWE | CWE-789 (Memory Allocation with Excessive Size Value) |

| EPSS | 0.25% (0.16271) |

| Exploitation | PoC available |

| Automatable | No |

| Technical Impact | Partial |

Code Behavior (Pre-Fix)

// Vulnerable pattern in Trivy < 0.71.0
// Custom tar unpacker reads each entry with no size limit
func unpackHelmChart(tr tar.Reader) error {
for {
header, err := tr.Next()
if err == io.EOF {
break
}
// No size validation - reads entire entry into memory
data, err := io.ReadAll(tr) // <-- UNBOUNDED!
// ... process data ...
}
return nil
}

Fixed Implementation (v0.71.0+)

// Fixed in Trivy v0.71.0 - uses official Helm SDK
// Replaced custom unpacker with archive.LoadArchiveFiles
// from helm.sh/helm/v4 SDK which enforces:
// - Per-entry size limits
// - Total archive size limits
// - Archive structure validation
import "helm.sh/helm/v4/pkg/archive"
func loadHelmChart(path string) error {
// archive.LoadArchiveFiles enforces size limits internally
files, err := archive.LoadArchiveFiles(path)
// ...
}

Exploit

Attack Vector

An attacker crafts a malicious Helm chart archive (.tgz) where a small compressed file expands to an extremely large size upon decompression. The archive is then placed in a location scanned by Trivy.

Proof of Concept (Conceptual)

Create a malicious Helm chart that decompresses to gigabytes
1. Create a sparse file that appears small in tar but expands massively
dd if=/dev/zero of=payload.bin bs=1M count=1 seek=4095 4GB sparse file
2. Package as a Helm chart archive
tar -czf malicious-chart-1.0.0.tgz payload.bin Chart.yaml values.yaml templates/
3. Place in a directory scanned by Trivy
trivy config ./ --scanners misconf Triggers OOM

Trigger Conditions

Scenario 1: CI pipeline scanning repository
trivy config . --scanners misconf
Scenario 2: Filesystem scan with misconf enabled
trivy filesystem --scanners misconf /path/to/untrusted/dir
Scenario 3: Container image scan with misconf
trivy image --scanners misconf vulnerable-image:latest

Protection

1. Upgrade to Fixed Version (Recommended)

Upgrade Trivy to v0.71.0 or later
Official installation methods:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.71.0
Or via package manager
apt-get update && apt-get install trivy=0.71.0 Debian/Ubuntu
brew upgrade trivy macOS

2. Workarounds (If Upgrade Not Immediately Possible)

Set memory limits on the Trivy process:

Docker
docker run --memory=512m aquasec/trivy:0.70.0 config ./ --scanners misconf
Kubernetes (Pod spec)
resources:
limits:
memory: 512Mi
systemd (cgroup)
systemd-run --scope -p MemoryMax=512M trivy config . --scanners misconf

Exclude untrusted directories from scanning:

Skip directories containing untrusted Helm charts
trivy config . --skip-dirs ./untrusted/charts --scanners misconf
trivy filesystem --skip-dirs ./untrusted/charts --scanners misconf /path

Avoid scanning untrusted `.tgz` files:

Remove or isolate untrusted Helm chart archives before scanning
rm -f ./untrusted/.tgz
Or move to a safe location outside scan scope
mv ./untrusted/.tgz /tmp/quarantine/

3. CI/CD Pipeline Protections

GitHub Actions example with resource limits
jobs:
security-scan:
runs-on: ubuntu-latest
container:
image: aquasec/trivy:0.71.0 Use patched version
steps:
- uses: actions/checkout@v4
- name: Scan with Trivy
run: trivy config . --scanners misconf

Impact

| Aspect | Details |

|–||

| Confidentiality | None |

| Integrity | None |

| Availability | High – OOM kills Trivy process, blocks CI pipelines |
| Attack Prerequisite | Attacker must place malicious `.tgz` in scanned path |
| Attack Complexity | Low (crafting tar bomb is straightforward) |
| Privileges Required | Low (any user who can place files in scan path) |

| User Interaction | None |

| Scope | Unchanged |

| CI/CD Impact | Pipeline failure, repeated attacks consume runner resources |
| Financial Impact | Potential increased cloud CI costs from repeated failed runs |
| Fix Available | Yes – upgrade to Trivy v0.71.0 |
| GitHub Security Advisory | GHSA-q3fv-x8vg-qqm4 |
| Fix Pull Request | 10718 |

| Reported By | @jamesgol |

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top