Kyverno Denial of Service via Context Variable Amplification in Policy...

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Basic Information

ID CVE-2026-23881

Source GitHub_M

Published Jan 27, 2026 at 16:10

Modified Jan 27, 2026 at 16:33

Affected Product

Vendor kyverno

Product kyverno

Version < 1.15.3

Affected Versions kyverno kyverno < 1.15.3
kyverno kyverno >= 1.16.0, < 1.16.3

CWE Classification

CWE-770

References

{
    "lastseen": "",
    "description": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.",
    "published": "2026-01-27T16:10:44.376Z",
    "modified": "2026-01-27T16:33:03.342Z",
    "type": "cve",
    "title": "Kyverno Denial of Service via Context Variable Amplification in Policy Engine",
    "source": "GitHub_M",
    "references": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq\nhttps://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f\nhttps://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7",
    "id": "CVE-2026-23881",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "kyverno kyverno < 1.15.3\nkyverno kyverno >= 1.16.0, < 1.16.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kyverno",
    "version": "< 1.15.3",
    "vendor": "kyverno",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kyverno Denial of Service via Context Variable Amplification in Policy Engine_CVE-2026-23881