PatchSiren cyber security CVE debrief
CVE-2026-35172 distribution CVE debrief
CVE-2026-35172 is a high-severity vulnerability in the Distribution toolkit, which enables restored read access to deleted container content under specific configurations. The vulnerability arises when both storage.cache.blobdescriptor: redis and storage.delete.enabled: true are enabled, allowing an attacker to access deleted blobs from a different repository. This issue was fixed in version 3.1.0 of the Distribution toolkit. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The CVE was published on April 6, 2026, and last modified on June 30, 2026.
- Vendor
- distribution
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-06
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-06
- Advisory updated
- 2026-06-30
Who should care
Users of the Distribution toolkit, especially those using versions prior to 3.1.0, should be aware of this vulnerability. It is crucial for administrators and developers using this toolkit to ensure they are running the latest version to prevent potential unauthorized access to deleted container content.
Technical summary
The Distribution toolkit, used for packing, shipping, storing, and delivering container content, had a vulnerability that allowed for the restoration of read access to deleted blobs under certain conditions. When both storage.cache.blobdescriptor: redis and storage.delete.enabled: true were enabled, an explicit delete operation would clear the shared digest descriptor but leave behind stale repository-scoped membership information. This would allow a later Stat or Get operation from a different repository to repopulate the shared descriptor, making the deleted blob readable again from the original repository. The fix for this vulnerability is included in version 3.1.0 of the Distribution toolkit.
Defensive priority
High priority should be given to updating the Distribution toolkit to version 3.1.0 or later. Administrators should review their current configurations and ensure that the fixes are applied to prevent potential exploitation.
Recommended defensive actions
- Update the Distribution toolkit to version 3.1.0 or later.
- Review current configurations of storage.cache.blobdescriptor and storage.delete.enabled.
- Ensure that all instances of the Distribution toolkit are patched.
- Monitor for any suspicious access to deleted container content.
- Consider implementing additional security measures to protect sensitive data.
Evidence notes
The CVE-2026-35172 vulnerability was identified in the Distribution toolkit. The vulnerability allows for restored read access to deleted container content under specific configurations. The issue was publicly disclosed on April 6, 2026, and a fix was provided in version 3.1.0. The CVSS score for this vulnerability is 7.5, indicating a high severity level.
Official resources
-
CVE-2026-35172 CVE record
CVE.org
-
CVE-2026-35172 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.