Skip to content

Commit 19e549b

Browse files
UID2-7456: suppress CVE-2026-56131/56407/56408 (libexpat) in .trivyignore (#2642)
1 parent 1670493 commit 19e549b

1 file changed

Lines changed: 10 additions & 0 deletions

File tree

.trivyignore

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,3 +52,13 @@ CVE-2026-54513 exp:2026-07-25
5252
# eclipse-temurin base image has not yet been rebuilt with it.
5353
# See: UID2-7376
5454
CVE-2026-2100 exp:2026-09-01
55+
56+
# CVE-2026-56131 / CVE-2026-56407 / CVE-2026-56408 — libexpat stack exhaustion / integer overflows
57+
# in the Alpine base image. uid2-operator is a pure Java service; the JVM parses XML via the built-in
58+
# JAXP/Xerces implementation, not the native libexpat C library, and there are no JNI bindings or
59+
# native deps that call into libexpat, so the crafted-XML attack path is not reachable. Fixed in
60+
# Alpine v3.23 libexpat >= 2.8.2-r0; the pinned eclipse-temurin base image has not yet been rebuilt with it.
61+
# See: UID2-7456
62+
CVE-2026-56131 exp:2026-08-09
63+
CVE-2026-56407 exp:2026-08-09
64+
CVE-2026-56408 exp:2026-08-09

0 commit comments

Comments
 (0)