CVE-2026-54448
Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer. This vulnerability is fixed in 0.71.0.
| CWE | CWE-770 CWE-789 |
| Vendor | aquasecurity |
| Product | trivy |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for aquasecurity trivy
Be the first to know when new unknown vulnerabilities affecting aquasecurity trivy are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
aquasecurity / trivy
< 0.71.0