CVE-2026-23881
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
7.7
HIGH
CVSS 3.1
EPSS 0.10%
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
How to fix CVE-2026-23881
To remediate CVE-2026-23881, upgrade the affected package to a fixed version below.
- —upgrade to 1.15.3 or later
- —upgrade to 1.15.3 or later
- —upgrade to 1.15.3 or later
Is CVE-2026-23881 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.15.3, >= 1.16.0, < 1.16.3
- from 0, < 1.15.3
- from 0, < 1.15.3, >= 1.16.0-rc.1, < 1.16.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H |