Vulnerabilities in base image Trixie - CVE-2026-4878 and CVE-2026-29111

[florentx]

Detected CVE-2026-4878 and CVE-2026-29111 in python:3.12-slim-trixie

It needs a rebuild, probably.

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────┬─────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version   │                          Title                          │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────┼─────────────────────────────────────────────────────────┤
│ libcap2     │ CVE-2026-4878  │ HIGH     │ fixed  │ 1:2.75-10+b8      │ 1:2.75-10+deb13u1 │ libcap: libcap: Privilege escalation via TOCTOU race    │
│             │                │          │        │                   │                   │ condition in cap_set_file()                             │
│             │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2026-4878               │
├─────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼─────────────────────────────────────────────────────────┤
│ libsystemd0 │ CVE-2026-29111 │          │        │ 257.9-1~deb13u1   │ 257.13-1~deb13u1  │ systemd: systemd: Arbitrary code execution or Denial of │
│             │                │          │        │                   │                   │ Service via spurious IPC...                             │
│             │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2026-29111              │
├─────────────┤                │          │        │                   │                   │                                                         │
│ libudev1    │                │          │        │                   │                   │                                                         │
│             │                │          │        │                   │                   │                                                         │
│             │                │          │        │                   │                   │                                                         │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────┴─────────────────────────────────────────────────────────┘

[yosifkit]

There is a planned Debian image update this week since there was a Debian patch release over the weekend (https://www.debian.org/News/2026/20260516). We rebuild all Docker Official Images when their parent image is updated so the Debian-based python images will be updated soon.

• https://security-tracker.debian.org/tracker/CVE-2026-4878 (I think that running as a non-root user with "no-new-privileges" on the container and this can't be exploited)
• https://security-tracker.debian.org/tracker/CVE-2026-29111 (this one doesn't affect anything in the context of just libsystemd0; it only matters if you are running systemd as PID 1 in the container)

---

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/8384586122f68760fdcfc9472257d177be2d6282#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/e5475a9b3d7c34b8a1e3902df0f4959c5b33e593#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link