{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41485", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.007Z", "datePublished": "2026-04-24T03:27:08.865Z", "dateUpdated": "2026-04-24T18:53:26.871Z"}, "containers": {"cna": {"title": "Kyverno Controller Denial of Service via forEach Mutation Panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"}, {"name": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb"}, {"name": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3", "tags": ["x_refsource_MISC"], "url": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3"}], "affected": [{"vendor": "kyverno", "product": "kyverno", "versions": [{"version": "< 1.16.4", "status": "affected"}, {"version": ">= 1.17.0-rc1, < 1.17.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T03:27:08.865Z"}, "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue."}], "source": {"advisory": "GHSA-fpjq-c37h-cqcv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T18:52:40.901788Z", "id": "CVE-2026-41485", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:53:26.871Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41485", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.007Z", "datePublished": "2026-04-24T03:27:08.865Z", "dateUpdated": "2026-04-24T18:53:26.871Z"}, "containers": {"cna": {"title": "Kyverno Controller Denial of Service via forEach Mutation Panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"}, {"name": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb", "tags": ["x_refsource_MISC"], "url": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb"}, {"name": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3", "tags": ["x_refsource_MISC"], "url": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3"}], "affected": [{"vendor": "kyverno", "product": "kyverno", "versions": [{"version": "< 1.16.4", "status": "affected"}, {"version": ">= 1.17.0-rc1, < 1.17.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T03:27:08.865Z"}, "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue."}], "source": {"advisory": "GHSA-fpjq-c37h-cqcv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41485", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T18:52:40.901788Z"}}}], "references": [{"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:51:28.483Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kyverno:kyverno:*:-:*:*:*:*:*:*", "matchCriteriaId": "1D7E92D2-4888-437F-8CC1-BDD272F595C7", "versionEndExcluding": "1.16.4", "versionStartIncluding": "1.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*", "matchCriteriaId": "69DC2B53-AFC4-4710-B8BC-DCCF46C5CE01", "versionEndExcluding": "1.17.2", "versionStartIncluding": "1.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue."}], "id": "CVE-2026-41485", "lastModified": "2026-04-27T17:54:40.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T04:16:21.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.16.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.17.0-rc1,1.17.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "kyverno", "source": "cna", "vendor": "kyverno"}, "product": "kyverno", "vendor": "kyverno"}], "analysis": {"en": {"generated_at": "2026-04-28T06:58:47.895181+00:00", "value": {"mitigation_remediation": ["Upgrade Kyverno to version 1.17.2 or 1.16.4 and restart the controller.", "Temporarily revoke or limit permissions for creating or editing Policy and ClusterPolicy objects until the update is applied.", "Remove or disable any existing policies that contain forEach mutations, and consider migrating to CEL-based policies which are not affected by the bug."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via controller crash and admission controller denial"}, "threat_synthesis": {"affected_systems": "Kyverno up through version 1.17.1 and 1.16.3, as well as earlier releases, are affected. The issue is specific to the legacy engine; policies written using CEL are safe. Versions 1.17.2 and 1.16.4 contain the fix.", "description_and_impact": "The vulnerability is an unchecked type assertion in the forEach mutation handler of Kyverno's policy engine. When an authorized user creates a Policy or ClusterPolicy containing a forEach mutation, the controller panics, causing the cluster\u2011wide background controller to enter a persistent CrashLoopBackOff. Simultaneously the admission controller stops accepting connections, blocking all operations that match the policy. The result is a denial of service affecting the entire cluster while the crashing controller remains unrecoverable until the offending policy is deleted.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1% shows that exploitation is currently considered unlikely. The vulnerability is not listed in CISA's KEV catalog, but if an attacker has the ability to create or edit policies, they can trigger the crash by including a forEach mutation. The crash will persist until the policy is removed, making it an effective denial of service vector for any cluster administrator granting policy authorisation."}}}}, "created": "2026-04-27T21:00:11.929035+00:00", "updated": "2026-04-28T07:00:09.554845+00:00", "vendors": ["kyverno", "kyverno$PRODUCT$kyverno"]}