This image is acceptable for production, but remediating the identified vulnerabilities is recommended to reduce the attack surface. While there are 6 exposed vulnerabilities, only one (CVE-2026-45447) has a severity above 6.0, and it affects a rarely used OpenSSL function (PKCS7_verify) that is unlikely to be triggered in typical Vespa operation. Therefore, the practical risk is low, but updating the base image is advised.
| CVE ID | Adjusted Severity | Package | Exploit Probability | Risk Context |
|---|---|---|---|---|
| CVE-2026-45447 | MEDIUM6.48 | openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6 | 2.3% Low-Moderate Risk | Directly ExposedContext importance: MEDIUM |
| CVE-2024-34459 | MEDIUM5.5 | libxml2 2.9.7-21.el8_10.4 fixed in 2.9.7-21.el8_10.5 | 2.3% Low-Moderate Risk | Directly Exposed |
| CVE-2026-45186 | MEDIUM5.1 | expat 2.5.0-1.el8_10 fixed in 2.5.0-2.el8_10 | 0.3% Theoretical Threat | Directly ExposedContext importance: MEDIUM |
| CVE-2026-35568 | MEDIUM4.84 | io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.0 | 0.1% Theoretical Threat | Directly Exposed |
| CVE-2026-31488 | LOW3.98 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-46331 | LOW3.98 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.3% Theoretical Threat | Post-Exploit |
| CVE-2026-43056 | LOW3.62 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-46135 | LOW3.62 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.5% Theoretical Threat | Post-Exploit |
| CVE-2026-35177 | LOW3.62 | vim-minimal 2:8.0.1763-22.el8_10.3 fixed in 2:8.0.1763-23.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-31419 | LOW3.57 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-46090 | LOW3.57 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-46145 | LOW3.57 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2024-4741 | LOW3.36 | openssl-libs 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6 | 2.9% Low-Moderate Risk | Directly Exposed |
| CVE-2026-43279 | LOW2.96 | perf 4.18.0-553.134.1.el8_10 fixed in 4.18.0-553.136.1.el8_10 | 0.1% Theoretical Threat | Post-Exploit |
| CVE-2026-45447 | LOW2.92 | openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6 | 2.3% Low-Moderate Risk | Post-Exploit |
| CVE-2024-4741 | LOW2.02 | openssl 1:1.1.1k-15.el8_6 fixed in 1:1.1.1k-16.el8_6 | 2.9% Low-Moderate Risk | Post-Exploit |
| CVE-2026-33811 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-33814 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39820 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.5% Theoretical Threat | Not Applicable |
| CVE-2026-39836 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39826 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42507 | NONE0 | stdlib v1.26.2 fixed in 1.25.11, 1.26.4 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-34237 | NONE0 | io.modelcontextprotocol.sdk:mcp-core 0.18.2 fixed in 1.0.1, 1.1.1, 0.18.3 | 0.2% Theoretical Threat | Not Applicable |
| CVE-2026-27145 | NONE0 | stdlib v1.26.2 fixed in 1.25.11, 1.26.4 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-39823 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.3% Theoretical Threat | Not Applicable |
| CVE-2026-39825 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.4% Theoretical Threat | Not Applicable |
| CVE-2026-42499 | NONE0 | stdlib v1.26.2 fixed in 1.25.10, 1.26.3 | 0.6% Theoretical Threat | Not Applicable |
| CVE-2026-42504 | NONE0 | stdlib v1.26.2 fixed in 1.25.11, 1.26.4 | 0.6% Theoretical Threat | Not Applicable |