CVE-2026-39830 Affecting kots package, versions <1.130.4-r4
Threat Intelligence
EPSS
0.06% (18th percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-KOTS-16964940
- published28 May 2026
- disclosed22 May 2026
Introduced: 22 May 2026
NewCVE-2026-39830 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
How to fix?
Upgrade Chainguard kots to version 1.130.4-r4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kots package and not the kots package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.