Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Published: 2026-01-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Kyverno is a cloud-native policy engine whose policy engine can consume unbounded memory when evaluating policies that use context variables to exponentially amplify string data. This flaw, identified as a resource-consumption vulnerability (CWE-770), enables a privileged user who can create policies to cause the host running Kyverno to run out of memory and become unresponsive, resulting in a denial of service. The impact is limited to the system where Kyverno runs, but the high memory consumption can affect other containers and services on the same node.

Affected Systems

The vulnerability affects Kyverno versions prior to 1.16.3 and 1.15.3. The affected vendor is Kyverno, product Kyverno, any installation that uses the vulnerable policy engine component.

Risk and Exploitability

The CVSS score is 7.7, indicating a high severity, while the EPSS score is below one percent, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the KEV catalog, meaning no confirmed public exploits are available. Attackers need policy-creation privileges, which are typically held by administrators or service accounts; therefore, the attack vector is internal or privileged. The primary risk is a DoS of the Kyverno service and potentially other workloads sharing the node if memory is exhausted. Prompt patching reduces the attack surface, and limiting privileges further mitigates risk.

Generated by OpenCVE AI on April 18, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kyverno to version 1.16.3 or later, or upgrade to 1.15.3 if using that branch, to apply the memory-consumption fix.
  • Restrict policy-creation permissions to a minimal set of trusted users or service accounts so that an attacker cannot craft malicious policies until the patch is applied.
  • Configure Kubernetes resource limits and monitoring for the Kyverno deployment to detect and contain excessive memory usage, reducing the impact of a denial-of-service event.

Generated by OpenCVE AI on April 18, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r2rj-wwm5-x6mq Kyverno Denial of Service via Context Variable Amplification in Policy Engine
History

Mon, 02 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Kyverno
Kyverno kyverno
Vendors & Products Kyverno
Kyverno kyverno

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Title Kyverno Denial of Service via Context Variable Amplification in Policy Engine
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Kyverno Kyverno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T16:33:03.342Z

Reserved: 2026-01-16T21:02:02.900Z

Link: CVE-2026-23881

cve-icon Vulnrichment

Updated: 2026-01-27T16:32:55.203Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T17:16:12.733

Modified: 2026-02-02T15:20:13.000

Link: CVE-2026-23881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:15:05Z

Weaknesses