malcontent: Error-path cleanup gap can leak scanners and fds and degrade availability
Moderate severity
GitHub Reviewed
Published
Feb 27, 2026
in
chainguard-dev/malcontent
•
Updated Mar 2, 2026
Package
Affected versions
< 1.21.0
Patched versions
1.21.0
Description
Published to the GitHub Advisory Database
Mar 2, 2026
Reviewed
Mar 2, 2026
Last updated
Mar 2, 2026
Several extraction and scanning code paths registered late defers which could leak resources and exhaust system resources.
This report is an aggregate of these individual reports for the affected code:
GHSA-jjgh-mc5q-gch7pkg/action/scan.goGHSA-mwmf-fxh2-w4x7pkg/archive/deb.goGHSA-p8j3-rpf5-gwv3pkg/archive/gzip.goGHSA-qfh4-7f5v-75gqpkg/archive/zlib.goGHSA-wxxf-r586-5rf5pkg/archive/bzip2.goFix: #1354, #1355, #1356, #1361
Acknowledgements
Thank you to Oleh Konko from 1seal for discovering and reporting all six of these issues.
References