Description
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary files when an error condition is encountered. There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via temporary file exhaustion
Action: Immediate Patch
AI Analysis

Impact

Syft fails to delete temporary files when the temporary storage runs out during a scan, causing the tool to abort while leaving large amounts of unused data behind. The residual files occupy the system’s temporary space, which can prevent Syft, other utilities, or the operating system from creating new files. This problem is a resource exhaustion vulnerability, classified under CWE-460, and primarily threatens availability rather than confidentiality or integrity.

Affected Systems

The vulnerability affects all versions of Anchore Syft preceding 1.42.3. Users running Syft to generate SBOMs from container images, file systems, or archives are at risk, especially when handling very large or highly compressed files such as zipbombs.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and an EPSS score below 1% suggests a low likelihood of large‑scale exploitation. The attack vector is local: an adversary or a privileged user must run Syft against a suitable large or compressed artifact. Because the issue manifests only when temporary storage is exhausted, the impact is limited to environments that perform extensive scanning without monitoring tmp usage. The vulnerability is not currently listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 1, 2026 at 05:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Syft to v1.42.3 or later
  • Manually delete residual temporary files when storage is depleted

Generated by OpenCVE AI on April 1, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rjcw-vg7j-m9rc Syft improper temporary file cleanup
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:anchore:syft:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Anchore
Anchore syft
Vendors & Products Anchore
Anchore syft

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the temporary data it writes after completing a scan. This vulnerability would affect users of Syft that were scanning content that could cause Syft to fill the temporary storage that would then cause Syft to raise an error and exit. When the error is triggered Syft would exit without properly removing the temporary files in use. In our testing this was most easily reproduced by scanning very large artifacts or highly compressed artifacts such as a zipbomb. Because Syft would not clean up its temporary files, the result would be filling temporary file storage preventing future runs of Syft or other system utilities that rely on temporary storage being available. The patch has been released in v1.42.3. Syft now cleans up temporary files when an error condition is encountered. There are no workarounds for this vulnerability in Syft. Users that find their temporary storage depleted can manually remove the temporary files.
Title Syft improper temporary file cleanup
Weaknesses CWE-460
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Anchore Syft
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:42:05.318Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33481

cve-icon Vulnrichment

Updated: 2026-03-27T14:42:00.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T18:16:29.733

Modified: 2026-03-31T21:15:56.197

Link: CVE-2026-33481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:37Z

Weaknesses