Unable to detect CVE-2023-26604 on Ubuntu 20.04 Container Image

[rahg0]

IDs

CVE-2023-26604

Description

As per Ubuntu Security Tracker, Ubuntu 20.04 is affected with CVE-2023-26604.

If we scan Ubuntu:20.04 image, We are able to see the package in question (libsystemd0 245.4-4ubuntu3.24). However, Trivy didn't flag the CVE-2023-26604 on it.
Wanted to know any reasons for this behaviour.

Reproduction Steps

1. Pull Ubuntu:20.04 image.
# docker pull ubuntu:20.04

2. Scan it with trivy image
# trivy image ubuntu:20.04 -f json --list-all-pkgs

Target

Container Image

Scanner

Vulnerability

Target OS

ubuntu:20.04

Debug Output

$ trivy image ubuntu:20.04 -d
2025-12-10T09:30:45+05:30	DEBUG	No plugins loaded
2025-12-10T09:30:45+05:30	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-10T09:30:45+05:30	DEBUG	Cache dir	dir="/Users/xxx/Library/Caches/trivy"
2025-12-10T09:30:45+05:30	DEBUG	Cache dir	dir="/Users/xxx/Library/Caches/trivy"
2025-12-10T09:30:45+05:30	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-12-10T09:30:45+05:30	DEBUG	Ignore statuses	statuses=[]
2025-12-10T09:30:45+05:30	DEBUG	DB update was skipped because the local DB is the latest
2025-12-10T09:30:45+05:30	DEBUG	DB info	schema=2 updated_at=2025-12-10T00:28:02.128218939Z next_update=2025-12-11T00:28:02.128218576Z downloaded_at=2025-12-10T03:54:01.719458Z
2025-12-10T09:30:45+05:30	DEBUG	[pkg] Package types	types=[os library]
2025-12-10T09:30:45+05:30	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-12-10T09:30:45+05:30	DEBUG	[notification] Running version check
2025-12-10T09:30:45+05:30	INFO	[vuln] Vulnerability scanning is enabled
2025-12-10T09:30:45+05:30	INFO	[secret] Secret scanning is enabled
2025-12-10T09:30:45+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-12-10T09:30:45+05:30	INFO	[secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2025-12-10T09:30:45+05:30	DEBUG	Initializing scan cache...	type="fs"
2025-12-10T09:30:45+05:30	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-10T09:30:47+05:30	DEBUG	[image] Image found	image="ubuntu:20.04" source="remote"
2025-12-10T09:30:47+05:30	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-12-10T09:30:47+05:30	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-12-10T09:30:47+05:30	DEBUG	Created process-specific temp directory	path="/var/folders/xy/k215rn153rj2yl372chvd8080000gn/T/trivy-49853"
2025-12-10T09:30:48+05:30	DEBUG	[image] Detected image ID	image_id="sha256:b7bab04fd9aa0c771e5720bf0cc7cbf993fd6946645983d9096126e5af45d713"
2025-12-10T09:30:48+05:30	DEBUG	[image] Detected diff ID	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6]
2025-12-10T09:30:48+05:30	DEBUG	[image] Detected base layers	diff_ids=[]
2025-12-10T09:30:48+05:30	INFO	Detected OS	family="ubuntu" version="20.04"
2025-12-10T09:30:48+05:30	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=92
2025-12-10T09:30:48+05:30	INFO	Number of language-specific files	num=0
2025-12-10T09:30:48+05:30	WARN	This OS version is no longer supported by the distribution	family="ubuntu" version="20.04"
2025-12-10T09:30:48+05:30	WARN	The vulnerability detection may be insufficient because security updates are not provided
2025-12-10T09:30:48+05:30	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-10T09:30:48+05:30	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌─────────────────────────────┬────────┬─────────────────┬─────────┐
│           Target            │  Type  │ Vulnerabilities │ Secrets │
├─────────────────────────────┼────────┼─────────────────┼─────────┤
│ ubuntu:20.04 (ubuntu 20.04) │ ubuntu │        2        │    -    │
└─────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


ubuntu:20.04 (ubuntu 20.04)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌──────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬───────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                           Title                           │
├──────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼───────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2025-4802 │ MEDIUM   │ fixed  │ 2.31-0ubuntu9.17  │ 2.31-0ubuntu9.18 │ glibc: static setuid binary dlopen may incorrectly search │
│          │               │          │        │                   │                  │ LD_LIBRARY_PATH                                           │
│          │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-4802                 │
├──────────┤               │          │        │                   │                  │                                                           │
│ libc6    │               │          │        │                   │                  │                                                           │
│          │               │          │        │                   │                  │                                                           │
│          │               │          │        │                   │                  │                                                           │
└──────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴───────────────────────────────────────────────────────────┘
2025-12-10T09:30:48+05:30	DEBUG	Cleaning up temp directory	path="/var/folders/xy/k215rn153rj2yl372chvd8080000gn/T/trivy-49853"

Version

# trivy -v
Version: 0.68.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-10 00:28:02.128218939 +0000 UTC
  NextUpdate: 2025-12-11 00:28:02.128218576 +0000 UTC
  DownloadedAt: 2025-12-10 03:54:01.719458 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-25 00:56:02.039941772 +0000 UTC
  NextUpdate: 2025-11-28 00:56:02.039941491 +0000 UTC
  DownloadedAt: 2025-11-25 04:21:51.432083 +0000 UTC
Check Bundle:
  Digest: sha256:38e239e5ab2bc9e914e69131537e92f429c4b53c108ec0ac1d7f6f91b752b9bc
  DownloadedAt: 2025-03-17 07:11:24.919172 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @rahg0
Thanks for your report!

Created aquasecurity/trivy-db#600 for this task.

Regards, Dmitriy

[rahg0]

Thank you, Dmitriy.