Vulnerability Reportapache/kafka:4.2.0

apache/kafka:latestapache/kafka:4.2.0apache/kafka:4.2.0-rc4

DIGESTsha256:9516fb7634bad307d17c33b589fde9023003b0cb761374f500002b980a3149b9

Executive Summary

Threat ScoreCAUTION• 9 exposed vulnerabilities with severity >= 6.0 (max 6.38) present.• CVE-2026-28390 and CVE-2026-34183 in OpenSSL could cause Denial of Service via crafted CMS or QUIC packets.• CVE-2026-34479 in Log4j bridge may allow log injection affecting downstream systems.• High-reputation image (30M+ pulls) but vulnerable packages degrade security posture.

50/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (30M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could cause denial of service or inject malformed logs, impacting availability and integrity. Upgrading OpenSSL and Log4j to patched versions would eliminate these issues. Note: CVE-2026-34183 only applies if QUIC is enabled; CVE-2026-28390 only applies if CMS decryption on untrusted input is performed.

Vulnerabilities

Vulnerability Log

106 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-28390	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34479	MEDIUM6.38	org.apache.logging.log4j:log4j-1.2-api 2.25.3 fixed in 2.25.4	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34478	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-34480	MEDIUM6.38	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.9% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-2673	MEDIUM5.52	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 12.0.22 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM5.5	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28387	MEDIUM5.5	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28387	MEDIUM5.5	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-34181	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-28388	MEDIUM5.1	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28388	MEDIUM5.1	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-28388	MEDIUM5.1	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.9% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-31790	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34477	MEDIUM5.02	org.apache.logging.log4j:log4j-core 2.25.3 fixed in 2.25.4	0.4% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32776	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-32777	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32778	MEDIUM4.67	libexpat 2.7.4-r0 fixed in 2.7.5-r0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40200	LOW3.98	musl-utils 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Post-Exploit
CVE-2026-33846	LOW3.82	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-42009	LOW3.82	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW3.82	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW3.82	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW3.82	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-3833	LOW3.77	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42011	LOW3.77	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW3.77	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34757	LOW3.74	libpng 1.6.54-r0 fixed in 1.6.57-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42012	LOW3.62	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42014	LOW3.37	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-2673	LOW3.31	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-34181	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-31790	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.6-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2026-42764	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42010	LOW3	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31789	LOW3	openssl 3.5.5-r0 fixed in 3.5.6-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	libssl3 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.5.5-r0 fixed in 3.5.7-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-6042	LOW2.8	musl-utils 1.2.5-r21 fixed in 1.2.5-r22	0.2% Theoretical Threat	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33845	LOW2.78	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libcrypto3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-2332	LOW2.78	org.eclipse.jetty:jetty-http 12.0.22 fixed in 12.1.7, 12.0.33	0.4% Theoretical Threat	Post-Exploit
CVE-2026-1584	LOW2.7	gnutls 3.8.11-r0 fixed in 3.8.12-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2026-33416	LOW2.7	libpng 1.6.54-r0 fixed in 1.6.56-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2025-14831	LOW2.7	gnutls 3.8.11-r0 fixed in 3.8.12-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42015	LOW2.7	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-67030	LOW2.69	org.codehaus.plexus:plexus-utils 3.5.1 fixed in 4.0.3, 3.6.1	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42013	LOW2.51	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5260	LOW2.51	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2026-25646	LOW2.48	libpng 1.6.54-r0 fixed in 1.6.55-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW2.39	musl 1.2.5-r21 fixed in 1.2.5-r23	0.1% Theoretical Threat	Post-Exploit
CVE-2026-22184	LOW2.39	zlib 1.3.1-r2 fixed in 1.3.2-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33636	LOW2.33	libpng 1.6.54-r0 fixed in 1.6.56-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libcrypto3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	libssl3 3.5.5-r0 fixed in 3.5.6-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2026-1605	LOW2.29	org.eclipse.jetty:jetty-server 12.0.22 fixed in 12.1.6, 12.0.32	0.4% Theoretical Threat	Post-Exploit
CVE-2026-3832	LOW1.89	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5419	LOW1.89	gnutls 3.8.11-r0 fixed in 3.8.13-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.5.5-r0 fixed in 3.5.7-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2026-40930	NONE0	libpng 1.6.54-r0 fixed in 1.6.58-r1	0.2% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.19.2 fixed in 2.21.1, 2.18.6	—	Not Applicable
GHSA-2r2c-cx56-8933	NONE0	org.jline:jline-remote-telnet 3.30.4 fixed in 4.2.1	—	Not Applicable
GHSA-47qp-hqvx-6r3f	NONE0	org.jline:jline-remote-telnet 3.30.4 fixed in 4.2.1	—	Not Applicable