← back
CVE-2026-39396

OpenBao has Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

CVSS 3.1 LOWEPSS 0.2%CWE-400CWE-674CWE-770
In short

OpenBao's OCI plugin extraction process doesn't limit how much data it writes when decompressing container images, allowing attackers to create specially crafted images that expand to massive sizes and fill up the disk. The integrity check happens too late to prevent the damage.

Technical detail

CVE-2026-39396 is a decompression bomb vulnerability in OpenBao's ExtractPluginFromImage() function where io.Copy lacks byte limits during tar decompression from OCI images. An attacker controlling the OCI registry can serve a crafted image that decompresses to arbitrary sizes, causing disk exhaustion; SHA256 validation occurs post-write, enabling denial of service after resource consumption. Requires victim to pull from attacker-controlled or compromised registry.

Summary generated and translated by AI from the official description.
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file. The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace **legit plugin image** with no need to change its signature. Version 2.5.3 contains a patch.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Affected products
openbao · openbao

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openbao/openbao/security/advisories/GHSA-r65v-xgwc-g56j