This is a security patch release addressing advisories in the content and remote layers, plus additional hardening and bug fixes since v2.6.1.
Security Fixes
- Resolve the hardlink (
TypeLink) target before passing it toos.Link, preventing a crafted OCI artifact from hardlinking a file outside the extraction directory via the process CWD (#1232, GHSA-fxhp-mv3v-67qp / CVE-2026-50163) - Bound tag and referrer list pagination to prevent a malicious or misbehaving registry from advertising an endless page chain and forcing unbounded client requests (client-side DoS) (#1215)
Bug Fixes
- Bound
content.ReadAllallocation by actual content read rather than the descriptor size, correcting the over-broad 32 MiB cap introduced for GHSA-f36w-mj3v-6jqv so legitimate in-memoryPush/FetchAll/FetchBytesare not rejected (#1223)
Other Changes
- Bump
golang.org/x/syncfrom 0.20.0 to 0.21.0 (#1208)