Threat Advisory

Kyverno Controller Denial of Service via Unchecked Mutation

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-41485 with a CVSS score of 7.7 is a High-severity Denial of Service vulnerability in the Kyverno Controller. The vulnerability affects go/github.com/kyverno/kyverno packages, specifically versions 1.13.0 to 1.16.4 and 1.17.0-rc.1 to 1.17.1. An unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff, causing the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted and is confined to the legacy engine. An attacker can exploit this vulnerability via a network attack with low privileges required and no user interaction, gaining the capability to disrupt cluster operations and causing business impact and consequences including system downtime, resource waste, and potential data loss. Exploitation requires the presence of a `Policy` or `ClusterPolicy` with a `foreach` rule containing a variable substitution that resolves to a nil value at runtime.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-41485 with a CVSS score of 7.7 is a High-severity Denial of Service vulnerability in the Kyverno Controller. The vulnerability affects go/github.com/kyverno/kyverno packages, specifically versions 1.13.0 to 1.16.4 and 1.17.0-rc.1 to 1.17.1. An unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff, causing the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted and is confined to the legacy engine. An attacker can exploit this vulnerability via a network attack with low privileges required and no user interaction, gaining the capability to disrupt cluster operations and causing business impact and consequences including system downtime, resource waste, and potential data loss. Exploitation requires the presence of a `Policy` or `ClusterPolicy` with a `foreach` rule containing a variable substitution that resolves to a nil value at runtime.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update go/github.com/kyverno/kyverno to version 1.16.4 or 1.17.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-fpjq-c37h-cqcv

[/emaillocker]
crossmenu