<0.1% probability · 13.5th percentile — 2026-05-12
Affected versions
Kyverno versions before 1.16.4 and 1.17.2 (legacy engine only)
Summary
This vulnerability impacts Kyverno's legacy policy engine. An unchecked type assertion in the forEach mutation handler allows any authorized policy creator to crash the cluster-wide background controller. This causes a persistent CrashLoopBackOff and blocks all matching resource operations. CEL-based policies are not affected by this flaw.
Remediation
Upgrade Kyverno to patched versions 1.16.4 or 1.17.2 to resolve this issue. Remove any unauthorized or suspicious policies from your cluster as a temporary mitigation. Migrate legacy policies to CEL to reduce future exposure to similar flaws.
Exploit info
This exploit has been publicly disclosed, with references to this issue documented in trusted public vulnerability databases. You may check Exploit-DB or GitHub for potential exploit details.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.