Vulnerability Reportrancher/k3s:latest

rancher/k3s:latestrancher/k3s:v1.34.1-k3s1
DIGESTsha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c

Executive Summary

Threat Score
50/100CAUTION
Reputation
TRUSTED

This image carries significant risk; production deployment is highly discouraged without strict compensating controls. An attacker with local access could exploit runc to escape the container and gain host root, and if the Extension backend is enabled on flannel, remote command injection is possible. Upgrading flannel to v0.28.2 or using default vxlan/wireguard backends fully mitigates CVE-2026-32241. Remediation of runc and stdlib vulnerabilities is required to reduce the attack surface.

Vulnerabilities

Vulnerability Log

90 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2026-32241HIGH7.04
github.com/flannel-io/flannel
v0.27.0
fixed in 0.28.2
2.7%
Low-Moderate Risk
Directly ExposedContext importance: MEDIUM
CVE-2025-68121MEDIUM6.8
stdlib
v1.24.6
fixed in 1.24.13, 1.25.7, 1.26.0-rc.3
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-31133MEDIUM6.63
github.com/opencontainers/runc
v1.3.1
fixed in 1.2.8, 1.3.3, 1.4.0-rc.3
0.7%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-32280MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-32281MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-32283MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33811MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33814MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-39820MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-39836MEDIUM6.38
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-32285MEDIUM6.38
github.com/buger/jsonparser
v1.1.1
fixed in 1.1.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-34986MEDIUM6.38
github.com/go-jose/go-jose/v4
v4.0.5
fixed in 4.1.4
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27889MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.14, 2.12.5
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-29785MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.14, 2.12.5
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33216MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-33218MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-27571MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.12, 2.12.3
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33219MEDIUM6.38
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-52881MEDIUM6.38
github.com/opencontainers/selinux
v1.11.1
fixed in 1.13.0
0.5%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-40898MEDIUM6.38
github.com/quic-go/quic-go
v0.50.1
fixed in 0.59.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-29181MEDIUM6.38
go.opentelemetry.io/otel
v1.37.0
fixed in 1.41.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-52565MEDIUM6.38
github.com/opencontainers/runc
v1.3.1
fixed in 1.2.8, 1.3.3, 1.4.0-rc.3
0.5%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2025-52881MEDIUM6.38
github.com/opencontainers/runc
v1.3.1
fixed in 1.2.8, 1.3.3, 1.4.0-rc.3
0.5%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-33186MEDIUM6.18
google.golang.org/grpc
v1.73.0
fixed in 1.79.3
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-33186MEDIUM6.18
google.golang.org/grpc
v1.72.1
fixed in 1.79.3
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42306MEDIUM6.12
github.com/docker/docker
v25.0.8+incompatible
No fix yet
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-39883MEDIUM5.95
go.opentelemetry.io/otel/sdk
v1.37.0
fixed in 1.43.0
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-61727MEDIUM5.52
stdlib
v1.24.6
fixed in 1.24.11, 1.25.5
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-35469MEDIUM5.52
github.com/moby/spdystream
v0.5.0
fixed in 0.5.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33217MEDIUM5.52
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33215MEDIUM5.52
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-22872MEDIUM5.52
golang.org/x/net
v0.35.0
fixed in 0.38.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-32282MEDIUM5.44
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-33249MEDIUM5.44
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-32289MEDIUM5.18
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-61726MEDIUM5.1
stdlib
v1.24.6
fixed in 1.24.12, 1.25.6
0.8%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-61729MEDIUM5.1
stdlib
v1.24.6
fixed in 1.24.11, 1.25.5
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-25679MEDIUM5.1
stdlib
v1.24.6
fixed in 1.25.8, 1.26.1
0.5%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-58183MEDIUM5.1
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-61728MEDIUM5.1
stdlib
v1.24.6
fixed in 1.24.12, 1.25.6
0.6%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-26014MEDIUM5.02
github.com/pion/dtls/v2
v2.2.12
No fix yet
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-26014MEDIUM5.02
github.com/pion/dtls/v3
v3.0.4
fixed in 3.1.1, 3.0.11
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-32288MEDIUM4.67
stdlib
v1.24.6
fixed in 1.25.9, 1.26.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-27142MEDIUM4.59
stdlib
v1.24.6
fixed in 1.25.8, 1.26.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-39826MEDIUM4.59
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-33223MEDIUM4.59
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-33246MEDIUM4.59
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.1%
Theoretical Threat
Directly Exposed
CVE-2025-47912MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58185MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-58187MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.9, 1.25.3
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58188MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-58189MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-61723MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-61724MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-61725MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-61730MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.12, 1.25.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-58186MEDIUM4.5
stdlib
v1.24.6
fixed in 1.24.8, 1.25.2
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-33247MEDIUM4.5
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-59530MEDIUM4.5
github.com/quic-go/quic-go
v0.50.1
fixed in 0.49.1, 0.54.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-64702MEDIUM4.5
github.com/quic-go/quic-go
v0.50.1
fixed in 0.57.0
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-47914MEDIUM4.5
golang.org/x/crypto
v0.36.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-58181MEDIUM4.5
golang.org/x/crypto
v0.36.0
fixed in 0.45.0
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-54410MEDIUM4.42
github.com/docker/docker
v25.0.8+incompatible
fixed in 25.0.13, 28.0.0
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-33222MEDIUM4.17
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-33248MEDIUM4.08
github.com/nats-io/nats-server/v2
v2.11.6
fixed in 2.11.15, 2.12.6
0.1%
Theoretical Threat
Directly Exposed
CVE-2025-22870LOW3.74
golang.org/x/net
v0.35.0
fixed in 0.36.0
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-26958LOW3.15
filippo.io/edwards25519
v1.1.0
fixed in 1.1.1
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-67499LOW3.06
github.com/containernetworking/plugins
v1.7.1
fixed in 1.9.0
0.1%
Theoretical Threat
Directly Exposed
CVE-2026-41889LOW3
github.com/jackc/pgx/v5
v5.7.5
fixed in 5.9.2
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-34040LOW2.81
github.com/docker/docker
v25.0.8+incompatible
fixed in 29.3.1
8.1%
Low-Moderate Risk
Post-Exploit
CVE-2026-33816LOW2.54
github.com/jackc/pgx/v5
v5.7.5
fixed in 5.9.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-33997LOW2.48
github.com/docker/docker
v25.0.8+incompatible
fixed in 29.3.1
0.3%
Theoretical Threat
Post-Exploit
CVE-2025-15558LOW2.45
github.com/docker/cli
v28.3.2+incompatible
fixed in 29.2.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2025-68156LOW2.29
github.com/expr-lang/expr
v1.17.5
fixed in 1.17.7
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-21434LOW2.29
github.com/quic-go/webtransport-go
v0.8.1-0.20241018022711-4ac2c9250e66
fixed in 0.10.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-21435LOW2.29
github.com/quic-go/webtransport-go
v0.8.1-0.20241018022711-4ac2c9250e66
fixed in 0.10.0
0.4%
Theoretical Threat
Post-Exploit
CVE-2026-27139LOW2.12
stdlib
v1.24.6
fixed in 1.25.8, 1.26.1
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-39823NONE0
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.3%
Theoretical Threat
Not Applicable
CVE-2026-39825NONE0
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.4%
Theoretical Threat
Not Applicable
CVE-2026-42499NONE0
stdlib
v1.24.6
fixed in 1.25.10, 1.26.3
0.6%
Theoretical Threat
Not Applicable
CVE-2026-42504NONE0
stdlib
v1.24.6
fixed in 1.25.11, 1.26.4
0.4%
Theoretical Threat
Not Applicable
CVE-2026-27145NONE0
stdlib
v1.24.6
fixed in 1.25.11, 1.26.4
0.3%
Theoretical Threat
Not Applicable
CVE-2026-42507NONE0
stdlib
v1.24.6
fixed in 1.25.11, 1.26.4
0.3%
Theoretical Threat
Not Applicable
CVE-2026-41567NONE0
github.com/docker/docker
v25.0.8+incompatible
No fix yet
0.1%
Theoretical Threat
Not Applicable
CVE-2026-41568NONE0
github.com/docker/docker
v25.0.8+incompatible
No fix yet
0.1%
Theoretical Threat
Not Applicable
CVE-2026-35480NONE0
github.com/ipld/go-ipld-prime
v0.21.0
fixed in 0.22.0
0.2%
Theoretical Threat
Not Applicable
CVE-2026-42328NONE0
github.com/ipld/go-ipld-prime
v0.21.0
fixed in 0.23.0
0.1%
Theoretical Threat
Not Applicable
CVE-2025-49140NONE0
github.com/pion/interceptor
v0.1.37
fixed in 0.1.39
0.4%
Theoretical Threat
Not Applicable
CVE-2026-21438NONE0
github.com/quic-go/webtransport-go
v0.8.1-0.20241018022711-4ac2c9250e66
fixed in 0.10.0
0.4%
Theoretical Threat
Not Applicable
CVE-2026-24051NONE0
go.opentelemetry.io/otel/sdk
v1.37.0
fixed in 1.40.0
0.2%
Theoretical Threat
Not Applicable