Skip to main content

Helm EUVDEUVD-2026-45213

| CVE-2026-63308 MEDIUM
Improper Validation of Array Index (CWE-129)
2026-07-17 VulnCheck GHSA-5gjx-96wq-c8r2
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Chart delivered over network triggers panic on user-initiated render (UI:R); no privileges required on target; availability limited to the failing Helm process only.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 16:50 vuln.today
Analysis Generated
Jul 17, 2026 - 16:50 vuln.today
CVE Published
Jul 17, 2026 - 16:14 cve.org
MEDIUM 5.3

DescriptionCVE.org

Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.

AnalysisAI

Denial of service in Helm's Files.Lines template helper (pkg/engine/files.go) allows any party who can supply a crafted chart to crash Helm operations deterministically by embedding a zero-length file. Affected are all Helm releases through 4.2.3 across template, install, upgrade, lint, and SDK Engine.Render code paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain write access to chart repository or CI pipeline
Delivery
Craft chart containing zero-byte file
Exploit
Submit chart to trigger automated helm install/upgrade/lint
Execution
Files.Lines indexes empty byte slice
Persist
Go runtime index-out-of-range panic
Impact
Helm operation fails (DoS)

Vulnerability AssessmentAI

Exploitation The vulnerability triggers when two conditions are simultaneously met: (1) a Helm chart processed by the target system contains at least one file that is exactly zero bytes in length, and (2) a helm template, helm install, helm upgrade, helm lint, or SDK Engine.Render operation is executed against that chart. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, score 5.3) accurately reflects a moderate, low-complexity network-reachable denial of service with limited impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to contribute to a shared Helm chart repository or submit a pull request to a GitOps repository crafts a chart containing a single zero-byte file (e.g., `files/empty.txt`). When the target organization's CI/CD pipeline automatically runs `helm lint` or `helm template` against the PR, the Files.Lines helper panics with an index out of range error, causing the pipeline job to fail deterministically. …
Remediation The primary fix is to upgrade to a Helm release that includes commit ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017 (https://github.com/helm/helm/commit/ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Helm

View all
CVE-2019-1000008 MEDIUM POC
6.5 Feb 04

All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restric

CVE-2019-18658 CRITICAL
9.8 Nov 12

In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opport

CVE-2019-1010275 CRITICAL
9.8 Jul 17

helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vul

CVE-2020-11013 MEDIUM POC
5.0 Apr 24

Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium sever

CVE-2021-32690 HIGH
8.6 Jun 16

Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), th

CVE-2025-53547 HIGH
8.5 Jul 08

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a s

CVE-2026-35205 HIGH
8.4 Apr 09

Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when si

CVE-2026-35204 HIGH
8.4 Apr 09

Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update

CVE-2023-25165 MEDIUM POC
4.3 Feb 08

Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template funct

CVE-2024-26147 HIGH
7.5 Feb 21

Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely expl

CVE-2022-23526 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

CVE-2022-23525 HIGH
7.5 Dec 15

Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil

Share

EUVD-2026-45213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy