Kyverno Policy Engine Flaw: Cluster Crash and Admission Controller Bypass
The National Vulnerability Database reports a high-severity vulnerability, CVE-2026-41485, in Kyverno, a policy engine for cloud-native platforms. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the forEach mutation handler allows any authenticated user with permissions to create a Policy or ClusterPolicy to trigger a persistent CrashLoopBackOff in the cluster-wide background controller. This effectively takes the controller offline until the malicious policy is removed.
Beyond the background controller, this flaw also impacts the admission controller. The National Vulnerability Database indicates that the bug causes the admission controller to drop connections, blocking all matching resource operations. This means critical policy enforcement could be bypassed or rendered inoperable, creating a significant security gap. The good news is that the vulnerability is confined to the legacy engine; policies using Common Expression Language (CEL) are unaffected.
This isn’t just a nuisance; it’s a denial-of-service vector with serious security implications for policy enforcement. The CVSS score of 7.7 (HIGH) confirms the severity, particularly due to its network attack vector and high impact on availability. Patches are available in versions 1.17.2 and 1.16.4, addressing this critical issue.
What This Means For You
- If your organization uses Kyverno as its Kubernetes policy engine, you need to verify your version immediately. This vulnerability allows an attacker to crash your background controller and bypass admission policies. Patch to versions 1.17.2 or 1.16.4 without delay. If immediate patching isn't possible, audit user permissions for creating `Policy` or `ClusterPolicy` objects and restrict them to trusted administrators.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41485: Kyverno Policy Engine CrashLoopBackOff via Unchecked Type Assertion
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41485 | DoS | Kyverno versions prior to 1.17.2 and 1.16.4 |
| CVE-2026-41485 | DoS | Unchecked type assertion in `forEach` mutation handler |
| CVE-2026-41485 | DoS | Creation of `Policy` or `ClusterPolicy` by user with permissions |
| CVE-2026-41485 | DoS | Impacts cluster-wide background controller (CrashLoopBackOff) |
| CVE-2026-41485 | DoS | Impacts admission controller (drops connections, blocks resource operations) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 24, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6810 — The Booking Calendar Contact Form plugin for WordPress is
CVE-2026-6810 — The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63...
CVE-2026-5428 — Cross-Site Scripting (XSS)
CVE-2026-5428 — The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions...
WordPress Plugin Flaw Exposes Sites to RCE
CVE-2026-5364 — The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to,...