Vulnerability Reportcalico/node:v3.31.5-58-g302912362136-fips

calico/node:v3.31.5-58-g302912362136-fips

DIGESTsha256:d21e8ef8601d37c18d46301421e0143b8701e667628a11a80e31fa923b508b8e

Executive Summary

Threat ScoreNEEDS ATTENTION• High-reputation community image (1719M+ pulls) pinned by digest ensures integrity.• 60 exposed surface vulnerabilities detected, but the two most severe (CVE-2023-2650, CVE-2023-0464) are medium severity (≤6.76) and require specific conditions to exploit.• No high-severity (≥7.0) exposed vulnerabilities; post-exploit vulnerabilities are low severity (max 3.37).• The two OpenSSL CVEs (CVE-2023-2650, CVE-2023-0464) can lead to denial of service if certain features are enabled (e.g., policy processing or parsing crafted certificates).• Overall risk is low to moderate; the image is a reasonable foundation for building production images.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (1719M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This base/runtime image is a reasonable foundation, but it ships vulnerabilities worth remediating in the images built on top of it. The most notable findings are CVE-2023-2650 (severity 6.76) and CVE-2023-0464 (severity 6.0) in OpenSSL, which could cause denial of service under specific conditions: CVE-2023-0464 requires enabling X.509 policy processing (disabled by default), and CVE-2023-2650 requires processing crafted certificates during TLS handshakes. No high-severity (≥7.0) vulnerabilities are present, and post-exploit issues are low. While the image has 60 exposed vulnerabilities, the practical risk is low to moderate in typical configurations, and upgrading the OpenSSL library in built images is recommended. Note: this is a general-purpose base/runtime image — many findings live in components that an application built on top may never load, so actual exploitability depends on the final image. For an accurate risk picture, re-scan the final application image with context.

Vulnerabilities

Vulnerability Log

94 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2023-2650	MEDIUM6.76	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	77.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-0464	MEDIUM6	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	3.7% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-4105	MEDIUM5.7	systemd-libs 239-82.el8_10.17 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc-common 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2019-14250	MEDIUM5.5	libgcc 8.5.0-28.el8_10 No fix yet	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-0727	MEDIUM5.5	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	3.2% Low-Moderate Risk	Directly Exposed
CVE-2021-3997	MEDIUM5.5	systemd-libs 239-82.el8_10.17 No fix yet	1.5% Low-Moderate Risk	Directly Exposed
CVE-2026-34181	MEDIUM5.35	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2023-0466	MEDIUM5.3	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	1.6% Low-Moderate Risk	Directly Exposed
CVE-2023-0465	MEDIUM5.3	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	1.6% Low-Moderate Risk	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-common 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.7% Theoretical Threat	Directly Exposed
CVE-2025-15468	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.7% Theoretical Threat	Directly Exposed
CVE-2025-69420	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.8% Theoretical Threat	Directly Exposed
CVE-2026-22796	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31789	MEDIUM5	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2024-2511	MEDIUM4.81	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	54.0% Actively Exploited	Directly Exposed
CVE-2024-41996	MEDIUM4.72	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-3606	MEDIUM4.67	libbpf 0.5.0-1.el8 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgcc 8.5.0-28.el8_10 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2025-15469	MEDIUM4.67	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22795	MEDIUM4.67	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27171	MEDIUM4.67	zlib 1.2.11-25.el8 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	xz-libs 5.2.4-4.el8_6 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM4.42	glibc 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4437	MEDIUM4.42	glibc-common 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-4437	MEDIUM4.42	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2018-20839	MEDIUM4.3	systemd-libs 239-82.el8_10.17 No fix yet	2.5% Low-Moderate Risk	Directly Exposed
CVE-2026-42250	MEDIUM4.25	bzip2-libs 1.0.6-28.el8_10 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc 2.28-251.el8_10.37 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-common 2.28-251.el8_10.37 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-common 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5450	MEDIUM4.25	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-5928	MEDIUM4.25	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28387	MEDIUM4.13	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.6% Theoretical Threat	Directly Exposed
CVE-2021-24032	MEDIUM4	libzstd 1.4.4-1.el8 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.6% Theoretical Threat	Directly Exposed
CVE-2025-68160	MEDIUM4	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-4598	MEDIUM4	systemd-libs 239-82.el8_10.17 No fix yet	0.6% Theoretical Threat	Directly Exposed
CVE-2026-28388	LOW3.83	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2024-25260	LOW3.4	elfutils-libelf 0.190-2.el8 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-common 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-minimal-langpack 2.28-251.el8_10.37 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2025-69418	LOW3.4	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2025-46836	LOW3.37	net-tools 2.0-0.52.20160912git.el8 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2026-5958	LOW3.21	sed 4.5-5.el8_10 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW3.15	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2018-20657	LOW2.7	libgcc 8.5.0-28.el8_10 No fix yet	4.0% Low-Moderate Risk	Post-Exploit
CVE-2022-4899	LOW2.7	libzstd 1.4.4-1.el8 No fix yet	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-27456	LOW2.4	util-linux 2.32.1-48.el8_10 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-29111	LOW2.39	systemd-libs 239-82.el8_10.17 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2021-45940	LOW2.34	libbpf 0.5.0-1.el8 No fix yet	1.1% Low-Moderate Risk	Post-Exploit
CVE-2021-45941	LOW2.34	libbpf 0.5.0-1.el8 No fix yet	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-28390	LOW2.29	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.8% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.5% Theoretical Threat	Post-Exploit
CVE-2025-69421	LOW2.29	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.8% Theoretical Threat	Post-Exploit
CVE-2026-28389	LOW2.29	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.8% Theoretical Threat	Post-Exploit
CVE-2022-41409	LOW2.29	pcre2 10.32-3.el8_6 No fix yet	1.0% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl-libs 1:1.1.1k-16.el8_6 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2025-5278	LOW2.24	coreutils-single 8.30-17.el8_10 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW1.84	shadow-utils 2:4.6-23.el8_10 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2025-11961	LOW1.61	libpcap 14:1.9.1-5.el8 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2021-39537	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	3.0% Low-Moderate Risk	Not Applicable
CVE-2021-39537	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	3.0% Low-Moderate Risk	Not Applicable
CVE-2020-19185	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19186	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.5% Low-Moderate Risk	Not Applicable
CVE-2020-19187	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19188	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19189	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.9% Low-Moderate Risk	Not Applicable
CVE-2020-19190	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2023-50495	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2020-19185	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19186	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.5% Low-Moderate Risk	Not Applicable
CVE-2020-19187	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19188	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2020-19189	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.9% Low-Moderate Risk	Not Applicable
CVE-2020-19190	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.4% Low-Moderate Risk	Not Applicable
CVE-2023-50495	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2018-19211	NONE0	ncurses-base 6.1-10.20180224.el8 No fix yet	0.9% Theoretical Threat	Not Applicable
CVE-2018-19211	NONE0	ncurses-libs 6.1-10.20180224.el8 No fix yet	0.9% Theoretical Threat	Not Applicable