PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35172 distribution CVE debrief

CVE-2026-35172 is a high-severity vulnerability in the Distribution toolkit, which enables restored read access to deleted container content under specific configurations. The vulnerability arises when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled, allowing an attacker to access deleted blobs from a different repository. This issue was fixed in version 3.1.0 of the Distribution toolkit. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The CVE was published on April 6, 2026, and last modified on June 30, 2026.

Vendor
distribution
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-06
Original CVE updated
2026-06-30
Advisory published
2026-04-06
Advisory updated
2026-06-30

Who should care

Users of the Distribution toolkit, especially those using versions prior to 3.1.0, should be aware of this vulnerability. It is crucial for administrators and developers using this toolkit to ensure they are running the latest version to prevent potential unauthorized access to deleted container content.

Technical summary

The Distribution toolkit, used for packing, shipping, storing, and delivering container content, had a vulnerability that allowed for the restoration of read access to deleted blobs under certain conditions. When both storage.cache.blobdescriptor: redis and storage.delete.enabled: true were enabled, an explicit delete operation would clear the shared digest descriptor but leave behind stale repository-scoped membership information. This would allow a later Stat or Get operation from a different repository to repopulate the shared descriptor, making the deleted blob readable again from the original repository. The fix for this vulnerability is included in version 3.1.0 of the Distribution toolkit.

Defensive priority

High priority should be given to updating the Distribution toolkit to version 3.1.0 or later. Administrators should review their current configurations and ensure that the fixes are applied to prevent potential exploitation.

Recommended defensive actions

  • Update the Distribution toolkit to version 3.1.0 or later.
  • Review current configurations of storage.cache.blobdescriptor and storage.delete.enabled.
  • Ensure that all instances of the Distribution toolkit are patched.
  • Monitor for any suspicious access to deleted container content.
  • Consider implementing additional security measures to protect sensitive data.

Evidence notes

The CVE-2026-35172 vulnerability was identified in the Distribution toolkit. The vulnerability allows for restored read access to deleted container content under specific configurations. The issue was publicly disclosed on April 6, 2026, and a fix was provided in version 3.1.0. The CVSS score for this vulnerability is 7.5, indicating a high severity level.

Official resources

This article is AI-assisted and based on the supplied source corpus.