DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23881: The Policy That Ate the Cluster: Deep Dive into CVE-2026-23881

#security #cve #cybersecurity

The Policy That Ate the Cluster: Deep Dive into CVE-2026-23881

Vulnerability ID: CVE-2026-23881
CVSS Score: 7.7
Published: 2026-01-27

A logic flaw in Kyverno's variable context handling allows for exponential memory amplification (a 'Billion Laughs' style attack), enabling attackers to crash the admission controller and either bypass security policies or deadlock the cluster.

TL;DR

Kyverno, the Kubernetes policy engine, failed to cap the memory usage of policy context variables. By chaining JMESPath variable definitions that reference themselves, an attacker can turn a few kilobytes of policy YAML into gigabytes of RAM usage. This OOM-kills the Kyverno controller, causing a Denial of Service. If Kyverno is configured to 'Fail-Open', security checks are bypassed. If 'Fail-Closed', the cluster becomes immutable. Patched in 1.15.3 and 1.16.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-770 (Resource Allocation without Limits)
  • Attack Vector: Network (via Kubernetes API)
  • CVSS v3.1: 7.7 (High)
  • Impact: Denial of Service / Security Bypass
  • Exploit Complexity: Low (Requires Policy Creation Rights)
  • Component: pkg/engine/context

Affected Systems

  • Kyverno Admission Controller
  • Kyverno Reports Controller
  • Kubernetes Clusters using Kyverno
  • Kyverno: < 1.15.3 (Fixed in: 1.15.3)
  • Kyverno: >= 1.16.0, < 1.16.3 (Fixed in: 1.16.3)

Code Analysis

Commit: 7a651be

Introduce maxContextSize to limit memory consumption

func (c *Context) AddContextEntry(...) error { ... if c.currentSize > c.maxContextSize { return Error } ... }
Enter fullscreen mode Exit fullscreen mode

Commit: f5617f6

Refine context size calculation logic

Updates to context calculation plumbing
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Official Advisory with reproduction steps

Mitigation Strategies

  • Upgrade Kyverno to patched versions immediately.
  • Audit existing policies for complex JMESPath usage.
  • Restrict RBAC permissions for Policy creation.

Remediation Steps:

  1. Check current version: kubectl get deployment -n kyverno -o wide
  2. Apply the upgrade manifest or update the Helm chart: helm upgrade kyverno kyverno/kyverno --version 3.2.1 (example)
  3. Verify the new maxContextSize argument is present in the deployment configuration.
  4. Monitor logs for ContextSizeLimitExceededError to ensure valid policies aren't being dropped.

References

Read the full report for CVE-2026-23881 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)