VDB
CVE-2026-23881
CVE-2026-23881
PUBLISHED
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
EPSS 0.10% · 28.0th percentile
Risk Scores
EPSS Score
0.10%
28.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | kyverno | 0, 1.16.0 |
| Bitnami | kyverno | 0, 1.16.0 |
Exploit Intelligence
- https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq (nist-nvd)
- CIRCL seen: CVE-2026-23881 (circl-sighting)
- https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f (circl)
- https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7 (circl)
- go_dos.json (github-poc)
- go_dos.json (github-poc)
- go_dos.json (github-poc)
- go_dos.json (github-poc)
- go_dos.json (github-poc)
- go_dos.json (github-poc)
…and 3 more exploits
Timeline
- Jan 27, 2026 CVE Published
- Jan 27, 2026 PoC Published
- Jan 28, 2026 EPSS Score
- Jan 29, 2026 CVE Updated
- Jan 30, 2026 EPSS Score
- Jan 30, 2026 Security Advisory
- Feb 2, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
References
- https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f url
- https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7 url
- https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq url
- https://nvd.nist.gov/vuln/detail/CVE-2026-23881 url