Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.
Published: 2026-04-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via controller crash and admission controller denial
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an unchecked type assertion in the forEach mutation handler of Kyverno's policy engine. When an authorized user creates a Policy or ClusterPolicy containing a forEach mutation, the controller panics, causing the cluster‑wide background controller to enter a persistent CrashLoopBackOff. Simultaneously the admission controller stops accepting connections, blocking all operations that match the policy. The result is a denial of service affecting the entire cluster while the crashing controller remains unrecoverable until the offending policy is deleted.

Affected Systems

Kyverno up through version 1.17.1 and 1.16.3, as well as earlier releases, are affected. The issue is specific to the legacy engine; policies written using CEL are safe. Versions 1.17.2 and 1.16.4 contain the fix.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, but the EPSS score of less than 1% shows that exploitation is currently considered unlikely. The vulnerability is not listed in CISA's KEV catalog, but if an attacker has the ability to create or edit policies, they can trigger the crash by including a forEach mutation. The crash will persist until the policy is removed, making it an effective denial of service vector for any cluster administrator granting policy authorisation.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kyverno to version 1.17.2 or 1.16.4 and restart the controller.
  • Temporarily revoke or limit permissions for creating or editing Policy and ClusterPolicy objects until the update is applied.
  • Remove or disable any existing policies that contain forEach mutations, and consider migrating to CEL-based policies which are not affected by the bug.

Generated by OpenCVE AI on April 28, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fpjq-c37h-cqcv Kyverno Controller Denial of Service via forEach Mutation Panic
History

Mon, 27 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Kyverno
Kyverno kyverno
CPEs cpe:2.3:a:kyverno:kyverno:*:*:*:*:*:*:*:*
cpe:2.3:a:kyverno:kyverno:*:-:*:*:*:*:*:*
Vendors & Products Kyverno
Kyverno kyverno

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.
Title Kyverno Controller Denial of Service via forEach Mutation Panic
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Kyverno Kyverno
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:53:26.871Z

Reserved: 2026-04-20T16:14:19.007Z

Link: CVE-2026-41485

cve-icon Vulnrichment

Updated: 2026-04-24T18:51:28.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T04:16:21.317

Modified: 2026-04-27T17:54:40.313

Link: CVE-2026-41485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses