DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-41485: CVE-2026-41485: Denial of Service in Kyverno via Unchecked Type Assertion in Mutation Engine

#security #cve #cybersecurity

CVE-2026-41485: Denial of Service in Kyverno via Unchecked Type Assertion in Mutation Engine

Vulnerability ID: CVE-2026-41485
CVSS Score: 7.7
Published: 2026-04-24

Kyverno policy engine versions prior to 1.16.4 and 1.17.0-rc1 through 1.17.1 are vulnerable to a Denial of Service. An unchecked Go type assertion in the legacy mutation engine triggers a runtime panic when processing missing JMESPath variables.

TL;DR

A Go type assertion panic in Kyverno's mutation engine allows authenticated users to crash the background and admission controllers, leading to a persistent DoS.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-617
  • Attack Vector: Network
  • CVSS Score: 7.7
  • EPSS Score: 0.00037
  • Impact: High (Denial of Service)
  • Exploit Status: PoC Available
  • Privileges Required: Low (Policy RBAC)

Affected Systems

  • Kyverno Legacy Mutation Engine
  • Kyverno Background Controller
  • Kyverno Admission Webhook
  • Kyverno: < 1.16.4 (Fixed in: 1.16.4)
  • Kyverno: >= 1.17.0-rc1, <= 1.17.1 (Fixed in: 1.17.2)

Code Analysis

Commit: 76c8fdb

Fix: Handle missing jmespath variables in patchesJson6902 to prevent panic

- patcher := NewPatcher(fe["patchStrategicMerge"], fe["patchesJson6902"].(string))
+ jsonPatch, _ := fe["patchesJson6902"].(string)
+ patcher := NewPatcher(fe["patchStrategicMerge"], jsonPatch)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade Kyverno to a non-vulnerable version (1.16.4 or 1.17.2).
  • Restrict RBAC permissions for creating or updating Policy and ClusterPolicy objects.
  • Implement JMESPath default values (e.g., {{ element.field || '' }}) in all policy rules.
  • Migrate policies to the CEL-based engine to bypass legacy mutation vulnerabilities.

Remediation Steps:

  1. Identify the current Kyverno version deployed in the cluster.
  2. Review and audit existing RoleBindings and ClusterRoleBindings that grant policy manipulation rights.
  3. Apply the Kyverno helm chart or manifest upgrade to version 1.16.4 or >= 1.17.2.
  4. Clear any pending or poisoned UpdateRequest objects from the cluster if the background controller remains in CrashLoopBackOff post-upgrade.

References

Read the full report for CVE-2026-41485 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)