CVE-2026-23881
published 2026-01-27CVE-2026-23881: Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.53%
40.8th percentile
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | kyverno_kyverno | >= 0 < 1.15.3 | 1.15.3 |
| github.com | kyverno_kyverno | >= 1.16.0-rc.1 < 1.16.3 | 1.16.3 |
| kyverno | kyverno | < 1.15.3 | 1.15.3 |
| kyverno | kyverno | — | — |
| kyverno | kyverno | >= 1.16.0 < 1.16.3 | 1.16.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kyverno Denial of Service via Context Variable Amplification in Policy Engine in github.com/kyverno/kyverno
osv·2026-02-02
CVE-2026-23881 Kyverno Denial of Service via Context Variable Amplification in Policy Engine in github.com/kyverno/kyverno
Kyverno Denial of Service via Context Variable Amplification in Policy Engine in github.com/kyverno/kyverno
Kyverno Denial of Service via Context Variable Amplification in Policy Engine in github.com/kyverno/kyverno
GHSA
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
ghsa·2026-01-27
CVE-2026-23881 [HIGH] CWE-770 Kyverno Denial of Service via Context Variable Amplification in Policy Engine
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
## Summary
Unbounded memory consumption in Kyverno's policy engine allows users with policy creation privileges to cause Denial of Serviceby crafting policies that exponentially amplify string data through context variables.
## Details
For example, the `random()` JMESPath function in `pkg/engine/jmespath/functions.go` generates random strings. Combined with the `join()` function, an attacker can create exponential string amplification through context variable chaining:
The PoC attack uses exponential doubling:
- `l0` = `random('[a-zA-Z0-9]{1000}')` → 1KB
- `l1` = `join('', [l0, l0])` → 2KB
- `l2` = `join('', [l1, l1])` → 4KB
- ... continues to `l18` → 256MB
The context evaluation has no cumulative size limi
OSV
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
osv·2026-01-27
CVE-2026-23881 [HIGH] Kyverno Denial of Service via Context Variable Amplification in Policy Engine
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
## Summary
Unbounded memory consumption in Kyverno's policy engine allows users with policy creation privileges to cause Denial of Serviceby crafting policies that exponentially amplify string data through context variables.
## Details
For example, the `random()` JMESPath function in `pkg/engine/jmespath/functions.go` generates random strings. Combined with the `join()` function, an attacker can create exponential string amplification through context variable chaining:
The PoC attack uses exponential doubling:
- `l0` = `random('[a-zA-Z0-9]{1000}')` → 1KB
- `l1` = `join('', [l0, l0])` → 2KB
- `l2` = `join('', [l1, l1])` → 4KB
- ... continues to `l18` → 256MB
The context evaluation has no cumulative size limi
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-4789 [HIGH] CVE-2026-4789 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4789 :
Kyverno vulnerability analysis and mitigation
Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.
Source : NVD
## 9.8
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Kyverno
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:kyverno:kyverno
kyverno
Sources
Chainguard No Fix Added at: Mar 31, 2026
GoLang Severity MEDIUM No Fix Added at: Apr 02, 2026
Homebrew Severity CRITICAL No Fix Added at: Apr 06, 2026
Nix Severity CRITICAL No Fix Added at: Apr 06, 2026
Linux Severity CRITICAL Has Fix Added at:
Wiz
CVE-2026-23881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-23881 [HIGH] CVE-2026-23881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23881 :
Wolfi vulnerability analysis and mitigation
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Source : NVD
## 6.5
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affecte
2026-01-27
Published