← Back

CVE-2026-41485

nvd nist
Published: Apr 24, 2026Modified: Apr 27, 2026

JSON object

Loading...
7.7
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Exploitability: 3.1 / Impact: 4.0
Source: security-advisories@github.com (Secondary)

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.

Affected (2)

Products: Kyverno: Kyverno
Kyverno
1 product
Kyverno
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Kyverno
Kyverno
From 1.17.0 to 1.17.2
Kyverno
From 1.13.0 to 1.16.4

Related CWEs

CWE-617
Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitVendor Advisory

Timeline

No history available yet.