Automated Flatcar security-triage review batch 29239214013, part 8 of 8.
Run metadata
Summary
This part contains 13 decision group(s).
Recommendation
Count
discovery_create_issue
1
discovery_ignore
12
Confidence
Count
high
11
low
1
medium
1
Whole batch: 266 decision group(s) across 8 part(s).
Recommendation
Count
discovery_create_issue
24
discovery_ignore
239
discovery_kernel_routing
3
Confidence
Count
high
183
low
11
medium
72
Severity
Count
CRITICAL
1
HIGH
4
MEDIUM
4
n/a
257
How to use this review
Check exactly one box per group to approve that action; leave a group fully unchecked to take no action for it.
Checking more than one box in the same group cancels that group: it is skipped and reported as a conflict.
Close this issue with reason Completed to apply every checked, conflict-free action.
Close this issue as Not planned (or leave it open) to take no automated action at all.
Do not edit the hidden HTML comments below the decision groups; they carry the machine-readable manifest this automation depends on.
Decision groups
Group 254: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)
Source URL: https://pkg.go.dev/vuln/GO-2026-5923
CVEs / upstream IDs: GO-2026-5923, GHSA-qrwj-vh9x-gw5v
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: ../client/v2 (devel) (exact_name); ../client/v2 (devel) (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/clipperhouse/uax29/v2 v2.2.0 (exact_name); github.com/compose-spec/compose-go/v2 v2.4.7 (exact_name); github.com/containerd/btrfs/v2 v2.0.0 (exact_name); github.com/containerd/containerd/v2 v2.0.2 (exact_name); github.com/containerd/containerd/v2 v2.0.5 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/imgcrypt/v2 v2.0.1 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/zfs/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.5 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.7 (exact_name); github.com/deckarep/golang-set/v2 v2.3.0 (exact_name); github.com/flatcar/ignition/v2 v2.24.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.0.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.4.0 (exact_name); github.com/google/renameio/v2 v2.0.0 (exact_name); github.com/googleapis/gax-go/v2 v2.12.0 (exact_name); github.com/googleapis/gax-go/v2 v2.15.0 (exact_name); github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 (exact_name); github.com/hashicorp/go-immutable-radix/v2 v2.1.0 (exact_name); github.com/hashicorp/golang-lru/v2 v2.0.7 (exact_name); github.com/hashicorp/hcl/v2 v2.23.0 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554 (exact_name); github.com/moby/swarmkit/v2 v2.1.1 (exact_name); github.com/onsi/ginkgo/v2 v2.23.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.3 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/rootless-containers/rootlesskit/v2 v2.3.4 (exact_name); github.com/russross/blackfriday/v2 v2.0.1 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/spiffe/go-spiffe/v2 v2.5.0 (exact_name); github.com/tchap/go-patricia/v2 v2.3.3 (exact_name); github.com/urfave/cli/v2 v2.27.6 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/wk8/go-ordered-map/v2 v2.1.8 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name)
Existing issue matches: none
The advisory affects the Coder application/module, which is not evidenced as shipped or used by Flatcar; the SBOM candidates are unrelated Go modules that merely share a v2 path suffix.
Choose at most one (leave all unchecked to take no action for this group):
Group 255: github.com/coder/coder (discovery, source: go_vulndb)
Source URL: https://pkg.go.dev/vuln/GO-2026-5924
CVEs / upstream IDs: CVE-2026-55431 , GHSA-v54h-cp2w-9x4g , GO-2026-5924
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
No evidence shows that the Coder application or its Go modules are shipped or used by Flatcar, and there are no production SBOM matches.
Choose at most one (leave all unchecked to take no action for this group):
Group 256: github.com/coder/coder (discovery, source: go_vulndb)
Source URL: https://pkg.go.dev/vuln/GO-2026-5925
CVEs / upstream IDs: CVE-2026-55435 , GHSA-wqxv-w64v-5wh6 , GO-2026-5925
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
Coder is an application-level Go server with no evidence of shipment or use in Flatcar, and it has no production SBOM match.
Choose at most one (leave all unchecked to take no action for this group):
Group 257: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)
Source URL: https://pkg.go.dev/vuln/GO-2026-5926
CVEs / upstream IDs: CVE-2026-55432 , GHSA-x9qq-2qh5-8rxf , GO-2026-5926
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: ../client/v2 (devel) (exact_name); ../client/v2 (devel) (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 (exact_name); github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.2.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/cespare/xxhash/v2 v2.3.0 (exact_name); github.com/clipperhouse/uax29/v2 v2.2.0 (exact_name); github.com/compose-spec/compose-go/v2 v2.4.7 (exact_name); github.com/containerd/btrfs/v2 v2.0.0 (exact_name); github.com/containerd/containerd/v2 v2.0.2 (exact_name); github.com/containerd/containerd/v2 v2.0.5 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/containerd/v2 v2.2.2 (exact_name); github.com/containerd/imgcrypt/v2 v2.0.1 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/typeurl/v2 v2.2.3 (exact_name); github.com/containerd/zfs/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.0 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.5 (exact_name); github.com/cpuguy83/go-md2man/v2 v2.0.7 (exact_name); github.com/deckarep/golang-set/v2 v2.3.0 (exact_name); github.com/flatcar/ignition/v2 v2.24.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.7.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/fxamacker/cbor/v2 v2.9.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.0.0 (exact_name); github.com/go-viper/mapstructure/v2 v2.4.0 (exact_name); github.com/google/renameio/v2 v2.0.0 (exact_name); github.com/googleapis/gax-go/v2 v2.12.0 (exact_name); github.com/googleapis/gax-go/v2 v2.15.0 (exact_name); github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 (exact_name); github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 (exact_name); github.com/hashicorp/go-immutable-radix/v2 v2.1.0 (exact_name); github.com/hashicorp/golang-lru/v2 v2.0.7 (exact_name); github.com/hashicorp/hcl/v2 v2.23.0 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/mitchellh/hashstructure/v2 v2.0.2 (exact_name); github.com/moby/swarmkit/v2 v2.0.0-20250103191802-8c1959736554 (exact_name); github.com/moby/swarmkit/v2 v2.1.1 (exact_name); github.com/onsi/ginkgo/v2 v2.23.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.3 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/pelletier/go-toml/v2 v2.2.4 (exact_name); github.com/rootless-containers/rootlesskit/v2 v2.3.4 (exact_name); github.com/russross/blackfriday/v2 v2.0.1 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/russross/blackfriday/v2 v2.1.0 (exact_name); github.com/spiffe/go-spiffe/v2 v2.5.0 (exact_name); github.com/tchap/go-patricia/v2 v2.3.3 (exact_name); github.com/urfave/cli/v2 v2.27.6 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/urfave/cli/v2 v2.27.7 (exact_name); github.com/wk8/go-ordered-map/v2 v2.1.8 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); go.yaml.in/yaml/v2 v2.4.2 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name); k8s.io/klog/v2 v2.130.1 (exact_name)
Existing issue matches: none
The advisory affects the Coder application/module, and no Coder package or module is present in the supplied SBOM evidence. The listed SBOM entries are unrelated Go modules that merely share a /v2 path component.
Choose at most one (leave all unchecked to take no action for this group):
Group 258: golang.org/x/crypto (discovery, source: go_vulndb)
Source URL: https://pkg.go.dev/vuln/GO-2026-5932
CVEs / upstream IDs: GO-2026-5932, GO ISSUE 44226
CVSS: n/a
Flatcar relevance: needs_manual_review (scope: production)
Recommendation: needs_manual_review (confidence: low)
SBOM matches: golang.org/x/crypto v0.31.0 (exact_name); golang.org/x/crypto v0.32.0 (exact_name); golang.org/x/crypto v0.32.0 (exact_name); golang.org/x/crypto v0.37.0 (exact_name); golang.org/x/crypto v0.43.0 (exact_name); golang.org/x/crypto v0.45.0 (exact_name)
Existing issue matches: none
LLM relevance decision requested manual review.
Safety/ambiguity notes: LLM relevance decision requested manual review.
Exact proposed issue for action disc-8d1a88c681470e3b9c5d
Title: update: golang.org/x/crypto
Name: golang.org/x/crypto
CVEs: GO-2026-5932, GO ISSUE 44226
CVSSs: n/a
Action Needed: TBD
Summary: The golang.org/x/crypto/openpgp package is unmaintained, unsafe by design, and has known security issues; no fixed version is provided, and a maintained ProtonMail fork is suggested.
refmap.gentoo: TBD
Labels: advisory, security
Choose at most one (leave all unchecked to take no action for this group):
Group 259: crossbeam-epoch (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
CVEs / upstream IDs: RUSTSEC-0000-0000, HTTPS://GITHUB.COM/CROSSBEAM-RS/CROSSBEAM/PULL/1276
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
crossbeam-epoch has no production SBOM match or other evidence that Flatcar ships or uses it.
Choose at most one (leave all unchecked to take no action for this group):
Group 260: crossbeam-epoch (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0204.html
CVEs / upstream IDs: RUSTSEC-2026-0204
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
No production SBOM match or other evidence shows that Flatcar ships or uses the Rust crate crossbeam-epoch.
Choose at most one (leave all unchecked to take no action for this group):
Group 261: exploration (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0155.html
CVEs / upstream IDs: GHSA-99j7-fhr2-xfj4
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: medium)
SBOM matches: golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring); golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f (ambiguous_substring)
Existing issue matches: none
LLM judged the only SBOM matches unrelated; treat this as strong not-shipped evidence.
Choose at most one (leave all unchecked to take no action for this group):
Group 262: oneringbuf (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0152.html
CVEs / upstream IDs: RUSTSEC-2026-0152, GHSA-q95x-7g78-rccv
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
No existing issue or SBOM evidence indicates that the Rust crate oneringbuf is shipped or used by Flatcar; this application-ecosystem advisory is not relevant without such evidence.
Choose at most one (leave all unchecked to take no action for this group):
Group 263: rustybuzz (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
CVEs / upstream IDs: RUSTSEC-0000-0000, Moving away from ttf-parser harfbuzz/rustybuzz#166
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
rustybuzz is an informational RustSec unmaintained notice, and there is no evidence that Flatcar ships or uses this crate.
Choose at most one (leave all unchecked to take no action for this group):
Group 264: rustybuzz (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0206.html
CVEs / upstream IDs: RUSTSEC-2026-0206, HTTPS://GITHUB.COM/HARFBUZZ/RUSTYBUZZ/ISSUES/166
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
RustSec unmaintained-crate notice for rustybuzz, with no evidence that Flatcar ships or uses it and no production SBOM match.
Choose at most one (leave all unchecked to take no action for this group):
Group 265: scc (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-0000-0000.html
CVEs / upstream IDs: RUSTSEC-0000-0000, CODEBERG ISSUE 232
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
No Flatcar SBOM or package-usage evidence shows that the Rust crate scc is shipped or used by Flatcar.
Choose at most one (leave all unchecked to take no action for this group):
Group 266: scc (discovery, source: rustsec)
Source URL: https://rustsec.org/advisories/RUSTSEC-2026-0205.html
CVEs / upstream IDs: RUSTSEC-2026-0205, CODEBERG ISSUE #232
CVSS: n/a
Flatcar relevance: not_relevant (scope: not_shipped)
Recommendation: ignore (confidence: high)
SBOM matches: none
Existing issue matches: none
RustSec advisory affects the scc crate, but there is no production SBOM match or other evidence that Flatcar ships or uses this crate.
Choose at most one (leave all unchecked to take no action for this group):
This section is machine-readable metadata used by the apply automation. It is safe to ignore while reviewing.
Automated Flatcar security-triage review batch
29239214013, part 8 of 8.Run metadata
flatcar/security-triageflatcar/security-triage08abc3cf2970e9bdc0be3c0162ecff3ebe7beb71Summary
This part contains 13 decision group(s).
Whole batch: 266 decision group(s) across 8 part(s).
How to use this review
Decision groups
Group 254: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)
https://pkg.go.dev/vuln/GO-2026-5923Choose at most one (leave all unchecked to take no action for this group):
Group 255: github.com/coder/coder (discovery, source: go_vulndb)
https://pkg.go.dev/vuln/GO-2026-5924Choose at most one (leave all unchecked to take no action for this group):
Group 256: github.com/coder/coder (discovery, source: go_vulndb)
https://pkg.go.dev/vuln/GO-2026-5925Choose at most one (leave all unchecked to take no action for this group):
Group 257: github.com/coder/coder and github.com/coder/coder/v2 (discovery, source: go_vulndb)
https://pkg.go.dev/vuln/GO-2026-5926Choose at most one (leave all unchecked to take no action for this group):
Group 258: golang.org/x/crypto (discovery, source: go_vulndb)
https://pkg.go.dev/vuln/GO-2026-5932Exact proposed issue for action
disc-8d1a88c681470e3b9c5dTitle:
update: golang.org/x/cryptoLabels: advisory, security
Choose at most one (leave all unchecked to take no action for this group):
Group 259: crossbeam-epoch (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-0000-0000.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 260: crossbeam-epoch (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-2026-0204.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 261: exploration (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-2026-0155.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 262: oneringbuf (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-2026-0152.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 263: rustybuzz (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-0000-0000.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 264: rustybuzz (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-2026-0206.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 265: scc (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-0000-0000.htmlChoose at most one (leave all unchecked to take no action for this group):
Group 266: scc (discovery, source: rustsec)
https://rustsec.org/advisories/RUSTSEC-2026-0205.htmlChoose at most one (leave all unchecked to take no action for this group):
This section is machine-readable metadata used by the apply automation. It is safe to ignore while reviewing.