CVE-2026-33022

Description

### Summary A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting `.spec.taskRef.resolver` (or `.spec.pipelineRef.resolver`) to a string of 31 characters or more, causing a denial of service for all reconciliation. ### Details The controller panics in `GenerateDeterministicNameFromSpec` when building a deterministic `ResolutionRequest` name. The generated name has the format `{resolver}-{hash}` and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters. The truncation logic attempts to find a word boundary using `strings.LastIndex(name, " ")`. Since the generated name never contains spaces (it is composed of the resolver name, a dash, and a hex-encoded hash), `LastIndex` returns `-1`, which is then used as a slice bound: ```go return name[:strings.LastIndex(name[:maxLength], " ")], nil // strings.LastIndex returns -1 → panic: slice bounds out of range [:-1] ``` The panic crashes the controller. Because the offending TaskRun or PipelineRun is re-reconciled on restart, the controller enters a `CrashLoopBackOff`, blocking all TaskRun and PipelineRun reconciliation cluster-wide until the offending resource is manually deleted. Built-in resolvers use short names (`git`, `cluster`, `bundles`, `hub`) and are not affected under normal usage. The vulnerability is exploitable by any user who can create TaskRuns or PipelineRuns with a custom resolver name. ### Impact **Denial of service** - A single malicious TaskRun or PipelineRun with a long resolver name is sufficient to crash the Tekton Pipelines controller into a restart loop, blocking all CI/CD reconciliation cluster-wide until the resource is removed. ### Patches _(to be filled in: e.g. "Fixed in versions 1.10.1, 1.9.1, ...")_ The fix computes the hash first, then truncates only the prefix (resolver name) to fit within the DNS-1123 label limit, preserving the full hash to maintain determinism and uniqueness of `ResolutionRequest` names. ### Workarounds Restrict who can create TaskRun and PipelineRun resources via Kubernetes RBAC. There is no validation-side workaround without patching. ### Affected Versions All releases from **v0.60.0** through **v1.10.0**. The vulnerable truncation logic was introduced in commit `ea1fa7ad1fdc` ("Remote Resolution Refactor"), first released in v0.60.0 (2024-05-22). Currently supported affected releases: - **v1.10.x** (latest) - **v1.9.x** (LTS, EOL 2027-01-30) - **v1.6.x** (LTS, EOL 2026-10-31) - **v1.3.x** (LTS, EOL 2026-08-04) - **v1.0.x** (LTS, EOL 2026-04-29) Releases prior to v0.60.0 are **not affected** - the truncation code did not exist. ### Acknowledgments This vulnerability was reported by Oleh Konko (@1seal), who provided a thorough vulnerability analysis, proof-of-concept, and review of the fix. Thank you! ### References - Fix: _(link to merged PR/commit)_ - Introduced in: `ea1fa7ad1fdc` ("Remote Resolution Refactor")

Priority Score