Vulnerability Reportapache/kafka:3.9.2

apache/kafka:3.9.2apache/kafka:3.9.2-rc1

DIGESTsha256:05b4616e0702ef2729327705d54ad6b50ea70b271c4b730fabd2320789fb7b02

Executive Summary

Threat ScoreCAUTION• High number of exposed vulnerabilities (21 with severity >=6.0) including CVE-2026-40200 (max severity 6.63), CVE-2026-33636, CVE-2026-33846.• Top findings include denial-of-service vulnerabilities in OpenSSL (CVE-2026-28388, CVE-2026-28389, CVE-2026-28390) and GnuTLS (CVE-2026-33846, CVE-2026-42009) which could disrupt availability.• CVE-2026-40200 involves memory corruption in musl libc, but requires specific conditions (large arrays) limiting exploitability.• Image is from a popular community publisher (Apache) with high trust score (90) and pinned by digest, ensuring immutability.• All vulnerabilities are on the exposed surface, meaning they are reachable without prior compromise.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (29M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. The most severe findings include denial-of-service vulnerabilities in core cryptographic libraries (OpenSSL, GnuTLS) and a memory corruption issue in musl libc (CVE-2026-40200) that could allow arbitrary code execution under limited conditions. Some OpenSSL vulnerabilities require enabling non-default flags like delta CRL processing to be exploitable. The image has a high number of exposed vulnerabilities (21 with severity >=6.0) but benefits from a reliable publisher and immutable digest.

Vulnerabilities

Vulnerability Log

107 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-40200	MEDIUM6.63	musl 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Directly Exposed
CVE-2026-40200	MEDIUM6.63	musl-utils 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Directly Exposed
CVE-2026-33636	MEDIUM6.46	libpng 1.6.54-r0 fixed in 1.6.56-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM6.38	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM6.38	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly Exposed
CVE-2026-28389	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly Exposed
CVE-2026-50010	MEDIUM6.38	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-3833	MEDIUM6.29	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42011	MEDIUM6.29	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-24281	MEDIUM6.29	org.apache.zookeeper:zookeeper 3.8.4 fixed in 3.8.6, 3.9.5	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42012	MEDIUM6.03	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42014	MEDIUM5.61	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 9.4.57.v20241219 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM5.1	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32776	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-32777	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32778	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl-utils 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2025-14831	MEDIUM4.5	gnutls 3.8.11-r0 fixed in 3.8.12-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM4.5	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 9.4.57.v20241219 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34757	LOW3.74	libpng 1.6.54-r0 fixed in 1.6.57-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-3832	LOW3.15	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.15	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42010	LOW3	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33845	LOW2.78	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2332	LOW2.78	org.eclipse.jetty:jetty-http 9.4.57.v20241219 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Post-Exploit
CVE-2026-1584	LOW2.7	gnutls 3.8.11-r0 fixed in 3.8.12-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2026-33416	LOW2.7	libpng 1.6.54-r0 fixed in 1.6.56-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-24308	LOW2.7	org.apache.zookeeper:zookeeper 3.8.4 fixed in 3.9.5, 3.8.6	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-67030	LOW2.69	org.codehaus.plexus:plexus-utils 3.5.1 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42013	LOW2.51	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5260	LOW2.51	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-25646	LOW2.48	libpng 1.6.54-r0 fixed in 1.6.55-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28387	LOW2.48	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-44249	LOW2.48	io.netty:netty-handler 4.1.125.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-2673	LOW1.99	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-40930	NONE0	libpng 1.6.54-r0 fixed in 1.6.58-r1	0.2% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.16.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec 4.1.125.Final fixed in 4.1.133.Final	0.4% Theoretical Threat	Not Applicable