Skip to content

Security triage review: 2026-07-13 (part 8/8) #11

Description

@github-actions

Automated Flatcar security-triage review batch 29239214013, part 8 of 8.

Run metadata

Summary

This part contains 13 decision group(s).

Recommendation Count
discovery_create_issue 1
discovery_ignore 12
Confidence Count
high 11
low 1
medium 1
Severity Count
n/a 13

Whole batch: 266 decision group(s) across 8 part(s).

Recommendation Count
discovery_create_issue 24
discovery_ignore 239
discovery_kernel_routing 3
Confidence Count
high 183
low 11
medium 72
Severity Count
CRITICAL 1
HIGH 4
MEDIUM 4
n/a 257

How to use this review

  • Check exactly one box per group to approve that action; leave a group fully unchecked to take no action for it.
  • Checking more than one box in the same group cancels that group: it is skipped and reported as a conflict.
  • Close this issue with reason Completed to apply every checked, conflict-free action.
  • Close this issue as Not planned (or leave it open) to take no automated action at all.
  • Do not edit the hidden HTML comments below the decision groups; they carry the machine-readable manifest this automation depends on.

Decision groups

Group 254: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)

  • Source URL: https://pkg.go.dev/vuln/GO-2026-5923
  • CVEs / upstream IDs: GO-2026-5923, GHSA-qrwj-vh9x-gw5v
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: ../client/v2 (devel) (exact_name); ../client/v2 (devel) (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/clipperhouse/uax29/v2 v2.2.0 (exact_name); github.com/compose-spec/compose-go/v2 v2.4.7 (exact_name); github.com/containerd/btrfs/v2 v2.0.0 (exact_name); github.com/containerd/containerd/v2 v2.0.2 (exact_name); github.com/containerd/containerd/v2 v2.0.5 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/imgcrypt/v2 v2.0.1 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/zfs/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.5 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.7 (exact_name); github.com/deckarep/golang-set/v2 v2.3.0 (exact_name); github.com/flatcar/ignition/v2 v2.24.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.0.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.4.0 (exact_name); github.com/google/renameio/v2 v2.0.0 (exact_name); github.com/googleapis/gax-go/v2 v2.12.0 (exact_name); github.com/googleapis/gax-go/v2 v2.15.0 (exact_name); github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 (exact_name); github.com/hashicorp/go-immutable-radix/v2 v2.1.0 (exact_name); github.com/hashicorp/golang-lru/v2 v2.0.7 (exact_name); github.com/hashicorp/hcl/v2 v2.23.0 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554 (exact_name); github.com/moby/swarmkit/v2 v2.1.1 (exact_name); github.com/onsi/ginkgo/v2 v2.23.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.3 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/rootless-containers/rootlesskit/v2 v2.3.4 (exact_name); github.com/russross/blackfriday/v2 v2.0.1 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/spiffe/go-spiffe/v2 v2.5.0 (exact_name); github.com/tchap/go-patricia/v2 v2.3.3 (exact_name); github.com/urfave/cli/v2 v2.27.6 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/wk8/go-ordered-map/v2 v2.1.8 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name)
  • Existing issue matches: none

The advisory affects the Coder application/module, which is not evidenced as shipped or used by Flatcar; the SBOM candidates are unrelated Go modules that merely share a v2 path suffix.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 255: github.com/coder/coder (discovery, source: go_vulndb)

  • Source URL: https://pkg.go.dev/vuln/GO-2026-5924
  • CVEs / upstream IDs: CVE-2026-55431, GHSA-v54h-cp2w-9x4g, GO-2026-5924
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

No evidence shows that the Coder application or its Go modules are shipped or used by Flatcar, and there are no production SBOM matches.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 256: github.com/coder/coder (discovery, source: go_vulndb)

  • Source URL: https://pkg.go.dev/vuln/GO-2026-5925
  • CVEs / upstream IDs: CVE-2026-55435, GHSA-wqxv-w64v-5wh6, GO-2026-5925
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

Coder is an application-level Go server with no evidence of shipment or use in Flatcar, and it has no production SBOM match.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 257: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)

  • Source URL: https://pkg.go.dev/vuln/GO-2026-5926
  • CVEs / upstream IDs: CVE-2026-55432, GHSA-x9qq-2qh5-8rxf, GO-2026-5926
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: ../client/v2 (devel) (exact_name); ../client/v2 (devel) (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/clipperhouse/uax29/v2 v2.2.0 (exact_name); github.com/compose-spec/compose-go/v2 v2.4.7 (exact_name); github.com/containerd/btrfs/v2 v2.0.0 (exact_name); github.com/containerd/containerd/v2 v2.0.2 (exact_name); github.com/containerd/containerd/v2 v2.0.5 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/imgcrypt/v2 v2.0.1 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/zfs/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.5 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.7 (exact_name); github.com/deckarep/golang-set/v2 v2.3.0 (exact_name); github.com/flatcar/ignition/v2 v2.24.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.0.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.4.0 (exact_name); github.com/google/renameio/v2 v2.0.0 (exact_name); github.com/googleapis/gax-go/v2 v2.12.0 (exact_name); github.com/googleapis/gax-go/v2 v2.15.0 (exact_name); github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 (exact_name); github.com/hashicorp/go-immutable-radix/v2 v2.1.0 (exact_name); github.com/hashicorp/golang-lru/v2 v2.0.7 (exact_name); github.com/hashicorp/hcl/v2 v2.23.0 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554 (exact_name); github.com/moby/swarmkit/v2 v2.1.1 (exact_name); github.com/onsi/ginkgo/v2 v2.23.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.3 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/rootless-containers/rootlesskit/v2 v2.3.4 (exact_name); github.com/russross/blackfriday/v2 v2.0.1 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/spiffe/go-spiffe/v2 v2.5.0 (exact_name); github.com/tchap/go-patricia/v2 v2.3.3 (exact_name); github.com/urfave/cli/v2 v2.27.6 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/wk8/go-ordered-map/v2 v2.1.8 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name)
  • Existing issue matches: none

The advisory affects the Coder application/module, and no Coder package or module is present in the supplied SBOM evidence. The listed SBOM entries are unrelated Go modules that merely share a /v2 path component.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 258: golang.org/x/crypto (discovery, source: go_vulndb)

  • Source URL: https://pkg.go.dev/vuln/GO-2026-5932
  • CVEs / upstream IDs: GO-2026-5932, GO ISSUE 44226
  • CVSS: n/a
  • Flatcar relevance: needs_manual_review (scope: production)
  • Recommendation: needs_manual_review (confidence: low)
  • SBOM matches: golang.org/x/crypto v0.31.0 (exact_name); golang.org/x/crypto v0.32.0 (exact_name); golang.org/x/crypto v0.32.0 (exact_name); golang.org/x/crypto v0.37.0 (exact_name); golang.org/x/crypto v0.43.0 (exact_name); golang.org/x/crypto v0.45.0 (exact_name)
  • Existing issue matches: none

LLM relevance decision requested manual review.

  • Safety/ambiguity notes: LLM relevance decision requested manual review.
Exact proposed issue for action disc-8d1a88c681470e3b9c5d

Title: update: golang.org/x/crypto

Name: golang.org/x/crypto
CVEs: GO-2026-5932, GO ISSUE 44226
CVSSs: n/a
Action Needed: TBD
Summary: The golang.org/x/crypto/openpgp package is unmaintained, unsafe by design, and has known security issues; no fixed version is provided, and a maintained ProtonMail fork is suggested.

refmap.gentoo: TBD

Labels: advisory, security

Choose at most one (leave all unchecked to take no action for this group):

  • Create new advisory issue: update: golang.org/x/crypto
  • No advisory action (ignore/defer)
  • Manual handling outside the pipeline

Group 259: crossbeam-epoch (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
  • CVEs / upstream IDs: RUSTSEC-0000-0000, HTTPS://GITHUB.COM/CROSSBEAM-RS/CROSSBEAM/PULL/1276
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

crossbeam-epoch has no production SBOM match or other evidence that Flatcar ships or uses it.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 260: crossbeam-epoch (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0204.html
  • CVEs / upstream IDs: RUSTSEC-2026-0204
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

No production SBOM match or other evidence shows that Flatcar ships or uses the Rust crate crossbeam-epoch.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 261: exploration (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0155.html
  • CVEs / upstream IDs: GHSA-99j7-fhr2-xfj4
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: medium)
  • SBOM matches: golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring)
  • Existing issue matches: none

LLM judged the only SBOM matches unrelated; treat this as strong not-shipped evidence.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 262: oneringbuf (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0152.html
  • CVEs / upstream IDs: RUSTSEC-2026-0152, GHSA-q95x-7g78-rccv
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

No existing issue or SBOM evidence indicates that the Rust crate oneringbuf is shipped or used by Flatcar; this application-ecosystem advisory is not relevant without such evidence.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 263: rustybuzz (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
  • CVEs / upstream IDs: RUSTSEC-0000-0000, Moving away from ttf-parser harfbuzz/rustybuzz#166
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

rustybuzz is an informational RustSec unmaintained notice, and there is no evidence that Flatcar ships or uses this crate.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 264: rustybuzz (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0206.html
  • CVEs / upstream IDs: RUSTSEC-2026-0206, HTTPS://GITHUB.COM/HARFBUZZ/RUSTYBUZZ/ISSUES/166
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

RustSec unmaintained-crate notice for rustybuzz, with no evidence that Flatcar ships or uses it and no production SBOM match.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 265: scc (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
  • CVEs / upstream IDs: RUSTSEC-0000-0000, CODEBERG ISSUE 232
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

No Flatcar SBOM or package-usage evidence shows that the Rust crate scc is shipped or used by Flatcar.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

Group 266: scc (discovery, source: rustsec)

  • Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0205.html
  • CVEs / upstream IDs: RUSTSEC-2026-0205, CODEBERG ISSUE #232
  • CVSS: n/a
  • Flatcar relevance: not_relevant (scope: not_shipped)
  • Recommendation: ignore (confidence: high)
  • SBOM matches: none
  • Existing issue matches: none

RustSec advisory affects the scc crate, but there is no production SBOM match or other evidence that Flatcar ships or uses this crate.

Choose at most one (leave all unchecked to take no action for this group):

  • Acknowledge: no advisory action needed

This section is machine-readable metadata used by the apply automation. It is safe to ignore while reviewing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    security-triage/reviewSecurity-triage generated review issue (approval required)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions