SCA: security update for github.com/anchore/syft (GHSA-rjcw-vg7j-m9rc)

medium Tenable Self-Hosted Container Security Plugin ID 439096

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container
images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the
temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into
temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the
temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were
scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise
an error and exit. When the error is triggered Syft would exit without properly removing the temporary
files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly
compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result
would be filling temporary file storage preventing future runs of Syft or other system utilities that rely
on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary
files when an error condition is encountered. There are no workarounds for this vulnerability in Syft.
Users that find their temporary storage depleted can manually remove the temporary files. (CVE-2026-33481)

Solution

Update the github.com/anchore/syft library and its related packages to version 1.42.3 or later.

See Also

https://github.com/advisories/GHSA-rjcw-vg7j-m9rc

Plugin Details

Severity: Medium

ID: 439096

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/21/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2026-33481

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2026

Vulnerability Publication Date: 3/20/2026

Reference Information

CVE: CVE-2026-33481

cwe: CWE-460