CVE-2026-35172: Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation

April 6, 2026

distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again.

References

github.com/advisories/GHSA-f2g3-hh2r-cwgc
github.com/distribution/distribution
github.com/distribution/distribution/commit/078b0783f239b4115d1a979e66f08832084e9d1d
github.com/distribution/distribution/security/advisories/GHSA-f2g3-hh2r-cwgc
nvd.nist.gov/vuln/detail/CVE-2026-35172

Code Behaviors & Features

Detect and mitigate CVE-2026-35172 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →