CVE-2026-23881 | THREATINT

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

PUBLISHED Reserved 2026-01-16 | Published 2026-01-27 | Updated 2026-01-27 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 1.15.3

affected

>= 1.16.0, < 1.16.3

affected

References

github.com/...yverno/security/advisories/GHSA-r2rj-wwm5-x6mq

github.com/...ommit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f

github.com/...ommit/f5617f60920568a301740485472bf704892175b7

cve.org (CVE-2026-23881)

nvd.nist.gov (CVE-2026-23881)

Download JSON