Uncontrolled Recursion Affecting k3s package, versions <1.35.3.1-r7


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-K3S-16535068
  • published8 May 2026
  • disclosed27 May 2026

Introduced: 8 May 2026

CVE-2026-42328  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade Chainguard k3s to version 1.35.3.1-r7 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream k3s package and not the k3s package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0.