Description
A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.
Published: 2026-02-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A denial of service condition exists in the ingress-nginx validating admission controller, allowing the attacker to send oversized requests that consume memory resources. The vulnerability aligns with CWE-770: Exhaustion of Resource. The impact is direct memory overuse that may lead to the controller pod termination or node out‑of‑memory situations, disrupting service availability for the affected workloads.

Affected Systems

The flaw affects installations of the Kubernetes ingress-nginx controller; specific affected versions are not listed in the advisory, so all deployments using ingress-nginx should be examined for the potential presence of the issue.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS probability is less than 1%, suggesting a low likelihood of exploitation at the time of analysis, and the vulnerability is not in the CISA KEV catalog. Likely attack vectors involve an external attacker sending large requests to the API server that triggers the admission controller of ingress-nginx. No additional prerequisites are noted beyond the ability to target the controller.

Generated by OpenCVE AI on April 17, 2026 at 23:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ingress-nginx to a version that incorporates the fix for the admission controller denial of service issue.
  • Configure maximum request size limits in the ingress controller or use Kubernetes admission hooks to reject excessive payloads before they consume controller memory.
  • If the validating admission controller is unnecessary for your cluster, disable it to eliminate the attack surface until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pf9-vr92-6h3v ingress-nginx vulnerable to Allocation of Resources Without Limits or Throttling
History

Wed, 04 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes ingress-nginx
Vendors & Products Kubernetes
Kubernetes ingress-nginx

Tue, 03 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.
Title ingress-nginx Admission Controller denial of service
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Kubernetes Ingress-nginx
cve-icon MITRE

Status: PUBLISHED

Assigner: kubernetes

Published:

Updated: 2026-02-18T17:29:47.895Z

Reserved: 2026-01-23T06:54:35.913Z

Link: CVE-2026-24514

cve-icon Vulnrichment

Updated: 2026-02-04T14:39:10.315Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T23:16:07.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses