Summary
Several HIGH/CRITICAL/MEDIUM CVEs are unpatched in Wolfi's current glibc-2.43-r7 and binutils-2.46-r1 packages even though upstream/distro patches exist. This issue expands the original scope (which was binutils-only).
glibc 2.43-r7
The May 1 update (commit 88cd4cba — fix(glibc): cherry-pick patches from mailing list for CVE fixes, PR by @xnox) added two patches:
0002-libio-Fix-ungetwc-operating-on-byte-stream-BZ-33998.patch → CVE-2026-5928 ✅0003-stdio-common-Fix-buffer-overflow-in-scanf-mc-BZ-3400.patch → CVE-2026-5450 ✅
Five other glibc CVEs in the same April 30 GLIBC-SA-2026-0009 batch that weren't cherry-picked:
Fedora and Debian have shipped backports for all of these against the 2.43 branch; would be a one-time follow-up to the same PR.
binutils 2.46-r1
binutils.yaml was last touched 2026-03-12 with no patches (patches: section absent). Four CVEs published 2026-03-06 are unpatched:
Sourceware bugzilla 33697; fix referenced at binutils-gdb commit 66a3492ce68e1ae45b2489bd9a815c39ea5d7f66. Fedora/Red Hat have backports.
Ask
Either bump the packages with the missing patches cherry-picked, or add not-affected advisory entries (with rationale) so downstream scanners stop flagging. For binutils specifically the runtime exploit surface is near-zero (readelf is a build-time analysis tool), so a not-affected entry there would be reasonable.
Impact
Container scanners (Aqua) flag 9 of 11 of these on every image built on wolfi-base. We're hitting them on nightly builds — happy to send a PR with patch backports if that helps.
Summary
Several HIGH/CRITICAL/MEDIUM CVEs are unpatched in Wolfi's current
glibc-2.43-r7andbinutils-2.46-r1packages even though upstream/distro patches exist. This issue expands the original scope (which was binutils-only).glibc 2.43-r7
The May 1 update (commit 88cd4cba — fix(glibc): cherry-pick patches from mailing list for CVE fixes, PR by @xnox) added two patches:
0002-libio-Fix-ungetwc-operating-on-byte-stream-BZ-33998.patch→ CVE-2026-5928 ✅0003-stdio-common-Fix-buffer-overflow-in-scanf-mc-BZ-3400.patch→ CVE-2026-5450 ✅Five other glibc CVEs in the same April 30 GLIBC-SA-2026-0009 batch that weren't cherry-picked:
iconv()IBM1390/IBM1399 assertion failuregethostbyaddrDNS backendns_*printrrfbuffer overflowns_sprintrrfbuffer overread (companion to CVE-2026-5435)Fedora and Debian have shipped backports for all of these against the 2.43 branch; would be a one-time follow-up to the same PR.
binutils 2.46-r1
binutils.yamlwas last touched 2026-03-12 with no patches (patches:section absent). Four CVEs published 2026-03-06 are unpatched:readelfnull-deref indisplay_relocations()readelfdouble-free on malformed relocation datareadelffamilyreadelffamilySourceware bugzilla 33697; fix referenced at binutils-gdb commit
66a3492ce68e1ae45b2489bd9a815c39ea5d7f66. Fedora/Red Hat have backports.Ask
Either bump the packages with the missing patches cherry-picked, or add
not-affectedadvisory entries (with rationale) so downstream scanners stop flagging. For binutils specifically the runtime exploit surface is near-zero (readelfis a build-time analysis tool), so anot-affectedentry there would be reasonable.Impact
Container scanners (Aqua) flag 9 of 11 of these on every image built on
wolfi-base. We're hitting them on nightly builds — happy to send a PR with patch backports if that helps.