From 9fcbd4b882c579cc6a5acd96308426b5ed9f696e Mon Sep 17 00:00:00 2001 From: Jaison Paul Date: Fri, 6 Mar 2026 01:01:53 -0500 Subject: [PATCH] Remove vulnerable helper binaries from distroless image The NVIDIA distroless base image (nvcr.io/nvidia/distroless/cc:v4.0.1) ships shelless_ulimit and sleep helper binaries built with Go 1.25.5, which carry 1 CRITICAL and 3 HIGH CVEs: - CVE-2025-68121 (CRITICAL): crypto/tls session resumption - CVE-2025-61726 (HIGH): net/url memory exhaustion - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion - CVE-2025-61730 (HIGH): TLS 1.3 handshake issue All are fixed in Go >= 1.25.7 but the base image has not been rebuilt. dcgm-exporter does not reference these binaries, so removing them eliminates the CVEs without any functional impact. Signed-off-by: Jaison Paul --- docker/Dockerfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index a3390f93..168c168b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -339,6 +339,12 @@ ENV NVIDIA_DRIVER_CAPABILITIES=compute,utility,compat32 ENV NVIDIA_DISABLE_REQUIRE="true" ENV NVIDIA_VISIBLE_DEVICES=all +# Remove unused helper binaries from the base image that are built with an +# older Go toolchain and carry known CVEs (e.g. CVE-2025-68121). +# dcgm-exporter does not reference these binaries. +COPY --from=runtime-distroless-helper --chown=root:root --chmod=755 /bin/rm /bin/rm +RUN rm -f /usr/bin/shelless_ulimit_* /usr/bin/sleep_* /bin/rm + # Security Note: Default USER # # This container runs as root by default because: