CVE-2026-22184 detected in official keycloak 26.5.1 docker image #45604
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
dependencies
Describe the bug
A Trivy scan of 26.5.1 list the critical CVE-2026-22184 which is listed with 9.8 resp. with 8.6 by RedHat.
Version
26.5.1
Regression
- The issue is a regression
Expected behavior
No HIGH/CRITICAL vulnerabilities
Actual behavior
quay.io/keycloak/keycloak:26.5.1 (redhat 9.7)
Total: 4 (HIGH: 4, CRITICAL: 0)
quay.io/keycloak/keycloak:26.5.1 (redhat 9.7)
Total: 4 (HIGH: 4, CRITICAL: 0)
┌──────────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ java-21-openjdk-headless │ CVE-2025-64720 │ HIGH │ affected │ 1:21.0.9.0.10-2.el9 │ │ libpng: LIBPNG buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-64720 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2025-65018 │ │ │ │ │ libpng: LIBPNG heap buffer overflow │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-65018 │
│ ├────────────────┤ │ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2025-66293 │ │ │ │ │ libpng: LIBPNG out-of-bounds read in │
│ │ │ │ │ │ │ png_image_read_composite │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-66293 │
│ ├────────────────┤ ├──────────────┤ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-22184 │ │ will_not_fix │ │ │ zlib: zlib: Arbitrary code execution via buffer overflow in │
│ │ │ │ │ │ │ untgz utility │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-22184 │
└──────────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
How to Reproduce?
trivy image --severity HIGH,CRITICAL quay.io/keycloak/keycloak:26.4.7
Anything else?
We are not sure how critical is the finding in context of the Keycloak is at all. At least in the image the untgz seems not be present. It is therefore also unclear why the vulnerability is listed for java-21-openjdk-headless.
However, our CI/CD Pipeline is currently blocked because of the CVE and we are wondering how we should handle it.