Skip to main content

Kyverno EUVDEUVD-2026-25392

| CVE-2026-41485 HIGH
Reachable Assertion (CWE-617)
2026-04-24 GitHub_M GHSA-fpjq-c37h-cqcv
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 17:54 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 04:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25392
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 03:27 nvd
HIGH 7.7

DescriptionGitHub Advisory

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.

AnalysisAI

A type assertion bug in Kyverno's forEach mutation handler crashes the cluster-wide background controller into CrashLoopBackOff and blocks admission controller operations, causing denial of service for policy-matched resources. Any authenticated user with Policy or ClusterPolicy creation permissions can trigger the crash by creating a malformed policy. The vulnerability affects Kyverno versions prior to 1.17.2 and 1.16.4, is limited to the legacy policy engine (CEL-based policies unaffected), and persists until the malicious policy is deleted. Vendor-released patches available with confirmed fix commits on GitHub.

Technical ContextAI

Kyverno is a Kubernetes-native policy engine that validates, mutates, and generates resources. The vulnerability (CWE-617: Reachable Assertion) exists in the legacy policy engine's forEach mutation handler, where an unchecked type assertion causes a runtime panic when processing malformed policy objects. The background controller, which reconciles policy state cluster-wide, enters CrashLoopBackOff when the assertion fails, while the admission webhook drops connections attempting to process matching resources. This affects the legacy policy DSL; the newer CEL (Common Expression Language) policy engine uses different code paths and remains unaffected. The CPE identifier cpe:2.3:a:kyverno:kyverno indicates all Kyverno instances below the patched versions are vulnerable regardless of Kubernetes distribution.

RemediationAI

Upgrade to Kyverno version 1.17.2 or later for 1.17.x deployments, or version 1.16.4 or later for 1.16.x deployments. The fix is implemented in commits 76c8fdbe87328722e099e1fd44c3f21c9f7809cb and 80e728c2283a0c65e5adb02d8a907106e6ebe7e3 available at the referenced GitHub URLs. As an immediate workaround prior to patching, implement strict RBAC controls limiting Policy and ClusterPolicy creation permissions to only highly trusted administrators - use Kubernetes admission controllers or OPA Gatekeeper to enforce least-privilege on policy management. If a crash loop is already occurring, identify and delete the malformed policy via kubectl to restore controller operation, then investigate how unauthorized policy creation occurred. Migrating legacy policies to CEL-based format eliminates exposure to this vulnerability class but requires policy rewriting effort and testing. Organizations using managed Kyverno deployments should consult their platform provider for patch application timelines.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-25392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy