akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 15 Packages Projects Releases Wiki Activity

docs: track CVE-2026-27171 zlib CPU exhaustion as a known medium vulnerability

Browse Source
This commit is contained in:
GitHub Actions
2026-03-21 12:30:20 +00:00
parent ad7e97e7df
commit 2c608bf684
2 changed files with 50 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.trivyignore
View File

@@ -15,6 +15,14 @@ CVE-2026-25793
# See also: .grype.yaml for full justification
CVE-2026-22184
# CVE-2026-27171: zlib CPU spin via crc32_combine64 infinite loop (DoS)
# Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image
# Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2.
# Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's
# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-04-21
# exp: 2026-04-21
CVE-2026-27171
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
# Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image
# No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.

42
SECURITY.md
View File

@@ -153,6 +153,48 @@ CVE-2025-68121 (Critical severity, same root cause) is tracked separately above.
---
### [MEDIUM] CVE-2026-27171 · zlib CPU Exhaustion via Infinite Loop in CRC Combine Functions
| Field | Value |
|--------------|-------|
| **ID** | CVE-2026-27171 |
| **Severity** | Medium · 5.5 (NVD) / 2.9 (MITRE) |
| **Status** | Awaiting Upstream |
**What**
zlib before 1.3.2 allows unbounded CPU consumption (denial of service) via the `crc32_combine64`
and `crc32_combine_gen64` functions. An internal helper `x2nmodp` performs right-shifts inside a
loop with no termination condition when given a specially crafted input, causing a CPU spin
(CWE-1284).
**Who**
- Discovered by: 7aSecurity audit (commissioned by OSTIF)
- Reported: 2026-02-17
- Affects: Any component in the container that calls `crc32_combine`-family functions with
attacker-controlled input; not directly exposed through Charon's application interface
**Where**
- Component: Alpine 3.23.3 base image (`zlib` package, version 1.3.1-r2)
- Versions affected: zlib < 1.3.2; all current Charon images using Alpine 3.23.3
**When**
- Discovered: 2026-02-17 (NVD published 2026-02-17)
- Disclosed (if public): 2026-02-17
- Target fix: When Alpine 3.23 publishes a patched `zlib` APK (requires zlib 1.3.2)
**How**
Exploitation requires local access (CVSS vector `AV:L`) and the ability to pass a crafted value
to the `crc32_combine`-family functions. This code path is not invoked by Charon's reverse proxy
or backend API. The vulnerability is non-blocking under the project's CI severity policy.
**Planned Remediation**
Monitor https://security.alpinelinux.org/vuln/CVE-2026-27171 for a patched Alpine APK. Once
available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an explicit
`RUN apk upgrade --no-cache zlib` to the runtime stage. Remove the `.trivyignore` entry at
that time.
---
## Patched Vulnerabilities
### ✅ [HIGH] CHARON-2026-001 · Debian Base Image CVE Cluster