Upstream information
Description
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names can be written to arbitrary locations on the filesystem when an administrator restores the archive as a compressed etcd snapshot. This vulnerability is fixed in 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1.Upstream Security Advisories:
SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (GitHub) |
|---|---|
| Base Score | 5.8 |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | High |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- GHSA-jxr7-mqhw-9p98, published Wed Jun 3 20:58:49 CEST 2026
SUSE Timeline for this CVE
CVE page created: Fri Jun 12 21:27:30 2026CVE page last modified: Thu Jul 2 12:54:36 2026