Vulnerability Reportpingcap/tidb:v8.5.5

pingcap/tidb:v8.5.5

DIGESTsha256:5052342db5785506679e6128b8b48c96b8f799faedc4b521fddd874c400f7a58

Executive Summary

Threat ScoreDANGEROUS• 70 total exposed vulnerabilities with 1 critical (severity ≥7.0) and 23 high (severity ≥6.0).• Critical authorization bypass in gRPC-Go (CVE-2026-33186, CVSS 7.73) allows unauthorized access to gRPC endpoints without special configuration, directly impacting TiDB inter-node and client communications.• TLS certificate validation bypass (CVE-2025-68121, CVSS 6.8) in crypto/tls could allow session resumption with untrusted peers if config mutation is used.• Multiple remote DoS vulnerabilities in gnutls (CVE-2026-33846, CVE-2026-42009) and openssl (CVE-2026-34183) could cause service disruption.

75/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (8M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit the gRPC authorization bypass (CVE-2026-33186) to access sensitive data or perform actions without authentication. Additionally, the TLS certificate validation flaw (CVE-2025-68121) could enable man-in-the-middle attacks under specific conditions, and multiple DoS vulnerabilities (CVE-2026-33846, CVE-2026-34183) allow remote service disruption. Upgrading gRPC-Go to v1.79.3 fully eliminates the authorization bypass. Note: CVE-2025-68121 only applies if TLS configuration is mutated between handshakes, which is not the default.

Vulnerabilities

Vulnerability Log

122 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-33186	HIGH7.73	google.golang.org/grpc v1.63.2 fixed in 1.79.3	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2025-68121	MEDIUM6.8	stdlib v1.25.5 fixed in 1.24.13, 1.25.7, 1.26.0-rc.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45186	MEDIUM6.38	expat 2.5.0-5.el9_7.1 fixed in 2.5.0-6.el9_8.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM6.38	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.9% Theoretical Threat	Directly Exposed
CVE-2026-42009	MEDIUM6.38	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.8% Theoretical Threat	Directly Exposed
CVE-2026-4111	MEDIUM6.38	libarchive 3.5.3-6.el9_6 fixed in 3.5.3-7.el9_7	0.7% Theoretical Threat	Directly Exposed
CVE-2026-4424	MEDIUM6.38	libarchive 3.5.3-6.el9_6 fixed in 3.5.3-9.el9_7	0.9% Theoretical Threat	Directly Exposed
CVE-2026-34183	MEDIUM6.38	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28390	MEDIUM6.38	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-3.el9_8	0.8% Theoretical Threat	Directly Exposed
CVE-2026-41602	MEDIUM6.38	github.com/apache/thrift v0.21.0 fixed in 0.23.0	0.6% Theoretical Threat	Directly Exposed
CVE-2025-61726	MEDIUM6.38	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.8% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-25679	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-32280	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32281	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32283	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33811	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Directly Exposed
CVE-2026-33814	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-39820	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-39836	MEDIUM6.38	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Directly Exposed
CVE-2026-3833	MEDIUM6.29	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42011	MEDIUM6.29	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42012	MEDIUM6.03	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4878	MEDIUM5.95	libcap 2.48-10.el9 fixed in 2.48-10.el9_7.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42014	MEDIUM5.61	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2025-14512	MEDIUM5.52	glib2 2.68.4-18.el9_7.1 fixed in 2.68.4-19.el9_8.1	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32282	MEDIUM5.44	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34181	MEDIUM5.35	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42768	MEDIUM5.35	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-32289	MEDIUM5.18	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2025-61728	MEDIUM5.1	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.6% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40355	MEDIUM5.02	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-40356	MEDIUM5.02	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-42764	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.7% Theoretical Threat	Directly Exposed
CVE-2026-42769	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-31790	MEDIUM5.02	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-2.el9_8	1.0% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-32288	MEDIUM4.67	stdlib v1.25.5 fixed in 1.25.9, 1.26.2	0.3% Theoretical Threat	Directly Exposed
CVE-2026-27142	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.3% Theoretical Threat	Directly Exposed
CVE-2026-39826	MEDIUM4.59	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM4.5	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.7% Theoretical Threat	Directly Exposed
CVE-2025-14831	MEDIUM4.5	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.3-10.el9_7	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2025-47914	MEDIUM4.5	golang.org/x/crypto v0.44.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-58181	MEDIUM4.5	golang.org/x/crypto v0.44.0 fixed in 0.45.0	0.5% Theoretical Threat	Directly Exposed
CVE-2025-61730	MEDIUM4.5	stdlib v1.25.5 fixed in 1.24.12, 1.25.6	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42507	MEDIUM4.5	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-28421	LOW3.98	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	0.2% Theoretical Threat	Post-Exploit
CVE-2026-33412	LOW3.72	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	0.7% Theoretical Threat	Post-Exploit
CVE-2026-25749	LOW3.72	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.1	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW3.62	python3 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2025-15367	LOW3.62	python3 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-1299	LOW3.62	python3 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-4786	LOW3.62	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2025-15366	LOW3.62	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.3% Theoretical Threat	Post-Exploit
CVE-2025-15367	LOW3.62	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-1299	LOW3.62	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-35177	LOW3.62	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-26.el9_8.5	0.1% Theoretical Threat	Post-Exploit
CVE-2026-4438	LOW3.4	glibc 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-common 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	glibc-minimal-langpack 2.34-231.el9_7.10 fixed in 2.34-270.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2025-9820	LOW3.4	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.3-10.el9_7	0.2% Theoretical Threat	Directly Exposed
CVE-2026-34181	LOW3.21	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42768	LOW3.21	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.4% Theoretical Threat	Post-Exploit
CVE-2023-39975	LOW3.17	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-3832	LOW3.15	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.15	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.5% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42764	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.7% Theoretical Threat	Post-Exploit
CVE-2026-42769	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-31790	LOW3.01	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-2.el9_8	1.0% Theoretical Threat	Post-Exploit
CVE-2025-14087	LOW3	glib2 2.68.4-18.el9_7.1 fixed in 2.68.4-19.el9_8.1	0.8% Theoretical Threat	Post-Exploit
CVE-2026-42010	LOW3	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.8% Theoretical Threat	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-28417	LOW2.81	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-23.el9_7.2	1.2% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33845	LOW2.78	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl-libs 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-5121	LOW2.7	libarchive 3.5.3-6.el9_6 fixed in 3.5.3-9.el9_7	1.1% Low-Moderate Risk	Post-Exploit
CVE-2026-2100	LOW2.7	p11-kit 0.25.3-3.el9_5 fixed in 0.26.2-1.el9	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-2100	LOW2.7	p11-kit-trust 0.25.3-3.el9_5 fixed in 0.26.2-1.el9	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-32952	LOW2.7	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 fixed in 0.1.1	1.0% Low-Moderate Risk	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-42013	LOW2.51	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.4% Theoretical Threat	Post-Exploit
CVE-2026-5260	LOW2.51	gnutls 3.8.3-9.el9.0.1 fixed in 3.8.10-4.el9_8	0.7% Theoretical Threat	Post-Exploit
CVE-2026-34982	LOW2.51	vim-minimal 2:8.2.2637-23.el9_7 fixed in 2:8.2.2637-26.el9_8.4	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-6100	LOW2.48	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-29111	LOW2.39	systemd-libs 252-55.el9_7.7.rocky.0.1 fixed in 252-67.el9_8.2.rocky.0.1	0.1% Theoretical Threat	Post-Exploit
CVE-2023-36054	LOW2.34	krb5-libs 1.21.1-8.el9_6 fixed in 1.21.1-10.el9_8	2.1% Low-Moderate Risk	Post-Exploit
CVE-2026-27135	LOW2.29	libnghttp2 1.43.0-6.el9 fixed in 1.43.0-6.el9_7.1	0.6% Theoretical Threat	Post-Exploit
CVE-2026-34183	LOW2.29	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.5% Theoretical Threat	Post-Exploit
CVE-2026-28390	LOW2.29	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-3.el9_8	0.8% Theoretical Threat	Post-Exploit
CVE-2026-0865	LOW2.29	python3 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.5% Theoretical Threat	Post-Exploit
CVE-2026-0865	LOW2.29	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.5% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2025-15366	LOW2.17	python3 3.9.25-3.el9_7 fixed in 3.9.25-3.el9_7.1	0.3% Theoretical Threat	Post-Exploit
CVE-2026-27139	LOW2.12	stdlib v1.25.5 fixed in 1.25.8, 1.26.1	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW1.89	openssl 1:3.5.1-7.el9_7 fixed in 1:3.5.5-4.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-4519	LOW1.68	python3-libs 3.9.25-3.el9_7 fixed in 3.9.25-7.el9_8	0.2% Theoretical Threat	Post-Exploit
CVE-2026-39823	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.25.5 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.25.5 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable