CVE-2026-33481
Temporary Storage Cleanup Failure in Syft Causes Resource Exhaustion
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anchore | syft | to 1.42.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-460 | The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33481 is a vulnerability in the Syft tool, which is used to generate Software Bill of Materials (SBOM) from container images and filesystems. In versions before v1.42.3, Syft does not properly clean up temporary files if the temporary storage becomes full during a scan. When scanning archives, Syft unpacks them into temporary storage and inspects the contents. If the temporary storage is exhausted, Syft raises an error and exits without deleting the temporary files it created.
This improper cleanup causes leftover temporary files to accumulate, filling up the temporary storage. This can prevent future runs of Syft or other system utilities that rely on available temporary storage. The issue is especially reproducible when scanning very large or highly compressed artifacts, such as zip bombs.
The vulnerability was fixed in Syft version v1.42.3, which ensures that temporary files are cleaned up even when an error occurs during scanning. There are no workarounds within Syft itself; users must manually remove leftover temporary files if their temporary storage is depleted.
How can this vulnerability impact me? :
This vulnerability can impact users by causing their system's temporary storage to fill up with leftover temporary files when Syft encounters an error during scanning. This can prevent Syft from running future scans and may also affect other system utilities that depend on temporary storage availability.
Specifically, scanning very large or highly compressed artifacts can trigger this issue, leading to exhaustion of temporary storage space. Users experiencing this problem must manually delete the leftover temporary files to restore normal operation.
The impact is classified as a moderate severity issue with a CVSS v3.1 base score of 5.3, primarily affecting availability by causing denial of service through resource exhaustion.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as leftover temporary files accumulating in the temporary storage directory when Syft scans large or highly compressed artifacts and then exits with an error. Detection involves monitoring the temporary storage for unusually large or numerous leftover files after running Syft scans.
You can detect the presence of leftover temporary files by checking the temporary directory (commonly /tmp or the directory configured for temporary storage) for files or directories created by Syft that were not cleaned up.
Suggested commands to detect leftover temporary files include:
- List large files or directories in the temporary storage: `du -sh /tmp/* | sort -h`
- Find files modified recently that might be leftover from Syft scans: `find /tmp -type f -mtime -1` (adjust time as needed)
- Check disk usage of the temporary storage partition to see if it is full or nearly full: `df -h /tmp`
Monitoring these indicators after running Syft scans can help detect if the vulnerability is causing resource exhaustion due to improper cleanup.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Syft to version v1.42.3 or later, where the vulnerability has been fixed by ensuring proper cleanup of temporary files even when errors occur during scanning.
If upgrading immediately is not possible, users experiencing depleted temporary storage due to leftover files must manually remove these temporary files to free up space.
There are no workarounds within Syft itself to prevent this issue in affected versions.
- Upgrade Syft to version v1.42.3 or later.
- Manually clean up temporary files left by Syft, typically located in the system's temporary directory (e.g., /tmp).
- Monitor temporary storage usage regularly to prevent exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.