#1134567 docker-registry: CVE-2026-33540 and CVE-2026-35172

Package:
src:docker-registry
Source:
src:docker-registry
Submitter:
James
Date:
2026-04-21 20:47:02 UTC
Severity:
normal
Tags:
#1134567#5
Date:
2026-04-21 20:44:28 UTC
From:
To:
Hi,

The security tracker currently lists docker-registry as unfixed for two
upstream distribution vulnerabilities fixed in upstream 3.1.0:

* CVE-2026-33540 / GHSA-3p65-76g6-3w7r
  Pull-through cache credential exfiltration via an unvalidated
  WWW-Authenticate bearer realm.

  Advisory:
https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r

  The advisory lists affected versions as <= 3.0.0 and patched versions
  as >= 3.1.0. Debian currently has 2.7.1+ds2-7+deb11u1 in bullseye,
  2.8.2+ds1-1 in bookworm, and 2.8.3+ds1-2 in trixie/forky/sid.

  I checked the current sid source, 2.8.3+ds1-2. The vulnerable flow
  appears present:

  - registry/proxy/proxyauth.go:getAuthURLs appends the bearer realm
    from the upstream WWW-Authenticate challenge.
  - registry/client/auth/session.go:fetchToken parses that realm and
    fetchTokenWithBasicAuth sends configured credentials to it.

* CVE-2026-35172 / GHSA-f2g3-hh2r-cwgc
  Stale blob access resurrection via repo-scoped Redis descriptor cache
  invalidation.

  Advisory:
https://github.com/distribution/distribution/security/advisories/GHSA-f2g3-hh2r-cwgc

  The advisory lists affected versions as <= 3.0.x and <= 2.8.x when
  redis blob descriptor cache and delete are both enabled, and patched
  versions as >= 3.1.0.

  I checked the current sid source, 2.8.3+ds1-2. The relevant Redis cache
  code appears present:

  - registry/storage/cache/redis/redis.go has
    repositoryScopedRedisBlobDescriptorService.Clear.
  - That method checks repository membership and then calls
    rsrbds.upstream.Clear(ctx, dgst), matching the upstream advisory's
    vulnerable invalidation path.

Regards,
James