Vulnerability Reportmilvusdb/milvus:2.6-20260618-5759d3b5-amd64

milvusdb/milvus:2.6-20260618-5759d3b5-amd64

DIGESTsha256:4eb7204c21617b57fdad3ed828117d2441143054daa31eb5ad78563244ce9859

Executive Summary

Threat ScoreCAUTION• 37 exposed vulnerabilities detected, 7 with severity ≥6.0 and 1 reaching 7.5 (CVE-2017-11164).• All top findings are denial-of-service vulnerabilities affecting PCRE, PCRE2, OpenTelemetry, and Go TLS/HTTP/2 libraries.• Image has strong trust (76M+ pulls, reliable publisher) but vulnerability surface is elevated.• Post-exploitation findings are low severity (max 2.86) and do not increase overall risk.• An unauthenticated attacker could disrupt service availability via crafted requests exploiting these DoS flaws.

74/100CAUTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (76M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker could cause denial of service by exploiting vulnerabilities in PCRE (CVE-2017-11164) or Go's TLS stack (CVE-2026-32280), potentially disrupting the Milvus vector database service. While the image is from a trusted publisher with high pull counts, the 7 exposed vulnerabilities with severity ≥6.0 and a max of 7.5 present a clear risk to availability. No authentication is required for exploitation, making internet-facing deployments particularly vulnerable.

Vulnerabilities

Vulnerability Log

58 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2017-11164	HIGH7.5	libpcre3 2:8.39-13ubuntu0.22.04.1 No fix yet	3.1% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2022-41409	MEDIUM6.38	libpcre2-8-0 10.39-3ubuntu0.1 No fix yet	1.0% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-29181	MEDIUM6.38	go.opentelemetry.io/otel v1.40.0 fixed in 1.41.0	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32280	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32281	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32283	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-39883	MEDIUM5.95	go.opentelemetry.io/otel/sdk v1.40.0 fixed in 1.43.0	0.2% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41602	MEDIUM5.1	github.com/apache/thrift v0.20.0 fixed in 0.23.0	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-33811	MEDIUM5.1	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-2236	MEDIUM4.72	libgcrypt20 1.9.4-3ubuntu3.2 No fix yet	1.1% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-27943	MEDIUM4.67	gcc-12-base 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgcc-s1 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgfortran5 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libgomp1 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libquadmath0 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2022-27943	MEDIUM4.67	libstdc++6 12.3.0-1ubuntu1~22.04.3 No fix yet	0.9% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.35-0ubuntu3.13 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM4.14	stdlib v1.25.8 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-27456	MEDIUM4	libblkid1 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libmount1 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libsmartcols1 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libuuid1 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Directly Exposed
CVE-2026-39826	LOW3.67	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2025-45582	LOW2.86	tar 1.34+dfsg-1ubuntu0.1.22.04.2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-40228	LOW2.8	libsystemd0 249.11-0ubuntu3.21 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40228	LOW2.8	libudev1 249.11-0ubuntu3.21 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2022-4899	LOW2.7	libzstd1 1.4.8+dfsg-3build1 No fix yet	1.6% Low-Moderate Risk	Post-Exploit
CVE-2026-27456	LOW2.4	bsdutils 1:2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	mount 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	util-linux 2.37.2-4ubuntu3.5 No fix yet	0.1% Theoretical Threat	Post-Exploit
CVE-2026-39820	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Post-Exploit
CVE-2026-39836	LOW2.29	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Post-Exploit
CVE-2026-6238	LOW1.99	libc-bin 2.35-0ubuntu3.13 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2026-6238	LOW1.99	libc6 2.35-0ubuntu3.13 No fix yet	0.3% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW1.84	login 1:4.8.1-2ubuntu2.2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW1.84	passwd 1:4.8.1-2ubuntu2.2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5435	LOW1.81	libc-bin 2.35-0ubuntu3.13 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2026-5435	LOW1.81	libc6 2.35-0ubuntu3.13 No fix yet	0.2% Theoretical Threat	Post-Exploit
CVE-2023-29383	LOW1.68	login 1:4.8.1-2ubuntu2.2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2023-29383	LOW1.68	passwd 1:4.8.1-2ubuntu2.2 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4046	LOW1.62	libc-bin 2.35-0ubuntu3.13 No fix yet	0.4% Theoretical Threat	Post-Exploit
CVE-2023-50495	NONE0	libncurses6 6.3-2ubuntu0.1 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	libncursesw6 6.3-2ubuntu0.1 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	libtinfo6 6.3-2ubuntu0.1 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	ncurses-base 6.3-2ubuntu0.1 No fix yet	1.0% Theoretical Threat	Not Applicable
CVE-2023-50495	NONE0	ncurses-bin 6.3-2ubuntu0.1 No fix yet	1.0% Theoretical Threat	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 fixed in 1.7.8	—	Not Applicable
GHSA-xmrv-pmrh-hhx2	NONE0	github.com/aws/aws-sdk-go-v2/service/bedrockruntime v1.23.0 fixed in 1.50.4	—	Not Applicable
CVE-2026-39882	NONE0	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.20.0 fixed in 1.43.0	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.8 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.25.8 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable