DEBIAN-CVE-2021-20291
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 01 Apr 2021, 18:15
Last modified:28 Apr 2026, 20:22
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
01 Apr 2021, 18:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:22
Last Modified
Vulnerability information updated
Description
A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a malicious image, which when downloaded and stored by an application using containers/storage, would then cause a deadlock leading to a Denial of Service (DoS).
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Systems
- debian•golang-github-containers-storage
all | < 1.34.1+ds1-1 | < 1.34.1+ds1-1 | < 1.34.1+ds1-1