Description
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary files when an error condition is encountered. There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is that Syft, when scanning large or highly compressed archive contents, fills temporary storage. When the scan fails due to exhausted temp storage, Syft exits without removing the temp files it created, leaving stale files that consume storage permanently. This results in a denial of service for both Syft and other system utilities that depend on temporary storage, because the disk becomes full and future scans or processes cannot start. The weakness stems from improper resource shutdown, identified as CWE‑460.

Affected Systems

The affected software is the Syft CLI and Go library developed by Anchore. Versions prior to 1.42.3 are susceptible. Users running any older release that performs assembly or analysis of container images, filesystem snapshots, or arbitrary archives may experience the problem. The volatility of the issue is highest when processing large or maliciously compressed artifacts such as zip bombs, which rapidly consume temporary space.

Risk and Exploitability

CVSS 5.3 indicates a moderate level of severity. Exploitation is a local threat: an attacker who can run Syft with sufficient privileges and supply a large archive can trigger the failure. The absence of an EPSS score and lack of listing in CISA’s KEV catalog imply no widespread active exploitation yet. However, the flaw remains exploitable on systems where Syft or its integrated scanning components run under user accounts with write access to the system’s temporary directory. Proper cleanup is now implemented in version 1.42.3, so applying the update mitigates the issue.

Generated by OpenCVE AI on March 26, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Syft v1.42.3 or newer to apply the automatic temporary‑file cleanup fix
  • Verify the version with "syft --version"
  • Ensure sufficient disk space is available in the system temporary directory before initiating scans
  • If temporary files remain after a failed scan, delete them manually from the system's temp location (commonly /tmp or the path returned by tempfile)
  • If you are unable to upgrade immediately, monitor temporary storage usage and intervene before it reaches capacity to avoid service disruption

Generated by OpenCVE AI on March 26, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rjcw-vg7j-m9rc Syft improper temporary file cleanup
History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Anchore
Anchore syft
Vendors & Products Anchore
Anchore syft

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary files when an error condition is encountered. There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
Title Syft improper temporary file cleanup
Weaknesses CWE-460
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Anchore Syft
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:42:05.318Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33481

cve-icon Vulnrichment

Updated: 2026-03-27T14:42:00.190Z

cve-icon NVD

Status : Received

Published: 2026-03-26T18:16:29.733

Modified: 2026-03-26T18:16:29.733

Link: CVE-2026-33481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:58Z

Weaknesses