Description
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Published: 2026-04-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A flaw in the SPDY streaming code used by Kubelet, CRI‑O and kube‑apiserver can cause the affected components to become unresponsive. The vulnerability is a resource exhaustion issue (CWE‑770) that can interrupt normal cluster operations. When successfully exploited, it leads to a denial of service of the components involved, depriving administrators and applications that rely on pod port forwarding, execution, attachment or node proxying from operational availability.

Affected Systems

The affected components are Kubernetes Kubelet, the CRI‑O container runtime, and the kube‑apiserver. The specific product versions that contain the defect are not disclosed in the data provided. Any installation of these components that has not yet been patched is potentially vulnerable and should be reviewed for the presence of the fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and no EPSS score is available, so the likelihood of an exploitation event is uncertain but cannot be excluded. The vulnerability is not marked in the CISA KEV catalog. Attackers who can assume cluster roles that permit pod port‑forwarding, execution, attachment, or node proxying are able to trigger the DoS path, typically by opening multiple SPDY streams that overwhelm component resources. The implications are a loss of availability for the affected services, which can cascade to impact dependent workloads.

Generated by OpenCVE AI on April 16, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kubelet, CRI‑O, and kube‑apiserver to the latest patched releases that fix SPDY streaming
  • Restrict RBAC permissions for pod port‑forward, exec, attach, and proxy to trusted users only
  • Apply resource limits and pod quotas to limit the number of concurrent SPDY streams and prevent resource exhaustion

Generated by OpenCVE AI on April 16, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pc3f-x583-g7j2 SpdyStream: DOS on CRI
History

Thu, 16 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive. spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count, the header count in parseHeaderValueBlock, and individual header field sizes — all read as 32-bit integers and used directly as allocation sizes with no bounds checking. Because SPDY header blocks are zlib-compressed, a small on-the-wire payload can decompress into large attacker-controlled values. A remote peer that can send SPDY frames to a service using spdystream can exhaust process memory and cause an out-of-memory crash with a single crafted control frame. This issue has been fixed in version 0.5.1.
Title Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code SpdyStream: DOS on CRI
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Kubernetes
Kubernetes kubelet
Vendors & Products Kubernetes
Kubernetes kubelet

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in the SPDY streaming code used by Kubelet, CRI-O, and kube-apiserver. An attacker with specific cluster roles, such as those allowing access to pod port forwarding, execution, or attachment, or node proxying, could exploit this vulnerability. This could lead to a Denial of Service (DoS) by causing the affected components to become unresponsive.
Title Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Kubernetes Kubelet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T21:19:23.516Z

Reserved: 2026-04-02T20:49:44.452Z

Link: CVE-2026-35469

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-16T22:16:37.920

Modified: 2026-04-16T22:16:37.920

Link: CVE-2026-35469

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T23:59:59Z

Links: CVE-2026-35469 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:54Z

Weaknesses