Uncontrolled Recursion Affecting alloy package, versions <1.17.1-150700.15.23.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.3% (21st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES157-ALLOY-17949484
  • published11 Jul 2026
  • disclosed9 Jul 2026

Introduced: 9 Jul 2026

NewCVE-2026-44740  (opens in a new tab)
CWE-674  (opens in a new tab)
CWE-835  (opens in a new tab)

How to fix?

Upgrade SLES:15.7 alloy to version 1.17.1-150700.15.23.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream alloy package and not the alloy package as distributed by SLES. See How to fix? for SLES:15.7 relevant fixed versions and status.

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

CVSS Base Scores

version 3.1