2455571 – (CVE-2026-35172) CVE-2026-35172 github.com/distribution/distribution: Distribution: Information disclosure via stale references after content deletion

Bug 2455571 (CVE-2026-35172) - CVE-2026-35172 github.com/distribution/distribution: Distribution: Information disclosure via stale references after content deletion

Summary: CVE-2026-35172 github.com/distribution/distribution: Distribution: Informatio...

Keywords:
Status:	NEW
Alias:	CVE-2026-35172
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 20:02 UTC by OSIDB Bzimport
Modified:	2026-04-07 14:16 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 20:02:10 UTC

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.

Note You need to log in before you can comment on or make changes to this bug.