Vulnerability Reportvespaengine/vespa:8.708.30

vespaengine/vespa:latestvespaengine/vespa:8vespaengine/vespa:8.708.30

DIGESTsha256:9fc8a7e2ced753b288d8f8a7cabbccf4a53786db5592421526c36ee8b88bd7cf

Executive Summary

Threat ScoreNEEDS ATTENTION• 2 exposed vulnerabilities with severity >= 6.0 (max 6.48) require attention• CVE-2026-45447: use-after-free in OpenSSL PKCS7_verify() could allow RCE or crash• CVE-2026-45186: denial of service via crafted XML input in libexpat• Image is popular (14M+ pulls) and pinned by digest, from reliable publisher• No high-severity post-exploit vulnerabilities; post-exploit max severity is 3.98• Post-exploit total is 11, but none with severity >= 6.0

25/100NEEDS ATTENTION

ReputationPOPULAR COMMUNITY• High Reputation Community Image (14M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. Two medium-severity exposures exist: CVE-2026-45447 (OpenSSL use-after-free, potential RCE if PKCS7_verify() is called) and CVE-2026-45186 (libexpat denial of service via crafted XML). Note that CVE-2026-45447 only applies if the application processes PKCS#7 or S/MIME signed messages. Post-exploit findings are all low severity (max 3.98) and pose minimal additional risk. Upgrading the affected packages (openssl-libs, expat) would eliminate these vulnerabilities.

Vulnerabilities

Vulnerability Log

28 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-45447	MEDIUM6.48	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	1.4% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-45186	MEDIUM6.38	expat 2.5.0-1.el8_10 fixed in 2.5.0-2.el8_10	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2024-34459	MEDIUM5.5	libxml2 2.9.7-21.el8_10.4 fixed in 2.9.7-21.el8_10.5	2.3% Low-Moderate Risk	Directly Exposed
CVE-2026-35568	MEDIUM4.84	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.0	0.1% Theoretical Threat	Directly Exposed
CVE-2026-31787	LOW3.98	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31669	LOW3.82	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.4% Theoretical Threat	Post-Exploit
CVE-2026-43110	LOW3.82	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-31786	LOW3.62	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.2% Theoretical Threat	Post-Exploit
CVE-2026-46056	LOW3.62	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-35177	LOW3.62	vim-minimal 2:8.0.1763-22.el8_10.3 fixed in 2:8.0.1763-23.el8_10	0.1% Theoretical Threat	Post-Exploit
CVE-2026-43329	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.1% Theoretical Threat	Post-Exploit
CVE-2026-46125	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2026-46152	LOW3.57	perf 4.18.0-553.132.1.el8_10 fixed in 4.18.0-553.134.1.el8_10	0.3% Theoretical Threat	Post-Exploit
CVE-2024-4741	LOW3.36	openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	2.9% Low-Moderate Risk	Directly Exposed
CVE-2026-45447	LOW2.92	openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-4741	LOW2.02	openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6	2.9% Low-Moderate Risk	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-34237	NONE0	io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.1, 1.1.1, 0.18.3	0.2% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable