Vulnerability Reportvespaengine/vespa:8.699.8

vespaengine/vespa:8.699.8

DIGESTsha256:a462cb620e99c2f97f8ebd3e3bc2d5a0858cb36a17928cb2a4b31740feda9fe0

Executive Summary

Threat ScoreNEEDS ATTENTION• High-reputation community image (14M+ pulls) pinned by digest.• 14 exposed vulnerabilities identified; 2 with severity >= 6.0 (CVE-2026-42010, CVE-2026-45416).• CVE-2026-42010 (GNUTLS auth bypass, severity 6.66) requires non-default RSA-PSK configuration.• CVE-2026-45416 (Netty DoS, severity 6.38) affects default TLS handshake and is remotely exploitable.• No post-exploit-only vulnerabilities detected.

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (14M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. It contains 14 known vulnerabilities, with the most notable being CVE-2026-42010 (GNUTLS authentication bypass) and CVE-2026-45416 (Netty denial of service). CVE-2026-42010 only applies if RSA-PSK cipher suites are enabled; disabling them fully eliminates that risk. CVE-2026-45416 can be exploited remotely against any TLS endpoint and may cause service disruption. The image is from a reputable community source and is pinned by digest, which provides some assurance of integrity.

Vulnerabilities

Vulnerability Log

37 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42010	MEDIUM6.66	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.14.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42014	MEDIUM5.61	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42013	MEDIUM5.58	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5260	MEDIUM5.58	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.14.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2024-34459	MEDIUM5.5	libxml2 2.9.7-21.el8_10.4 fixed in 2.9.7-21.el8_10.5	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-50010	MEDIUM5.1	io.netty:netty-handler 4.2.14.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-3833	MEDIUM5.03	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42011	MEDIUM5.03	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-35568	MEDIUM4.84	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-42012	MEDIUM4.82	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-35177	LOW3.62	vim-minimal 2:8.0.1763-22.el8_10.3 fixed in 2:8.0.1763-23.el8_10	0.1% Theoretical Threat	Post-Exploit
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.14.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-33845	LOW2.78	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.6% Theoretical Threat	Post-Exploit
CVE-2026-45186	LOW2.29	expat 2.5.0-1.el8_10 fixed in 2.5.0-2.el8_10	0.5% Theoretical Threat	Post-Exploit
CVE-2026-33846	LOW2.29	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.9% Theoretical Threat	Post-Exploit
CVE-2026-42009	LOW2.29	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.8% Theoretical Threat	Post-Exploit
CVE-2024-4741	LOW2.02	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	2.9% Low-Moderate Risk	Post-Exploit
CVE-2026-4046	LOW1.62	glibc 2.28-251.el8_10.34 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4046	LOW1.62	glibc-common 2.28-251.el8_10.34 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4046	LOW1.62	glibc-langpack-en 2.28-251.el8_10.34 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Post-Exploit
CVE-2026-4046	LOW1.62	glibc-minimal-langpack 2.28-251.el8_10.34 fixed in 2.28-251.el8_10.37	0.4% Theoretical Threat	Post-Exploit
CVE-2026-42015	LOW1.62	gnutls 3.6.16-8.el8_10.5 fixed in 3.6.16-8.el8_10.6	0.7% Theoretical Threat	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-34237	NONE0	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.1, 1.1.1, 0.18.3	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable