CVE-2026-41485: Kyverno Controller Denial of Service via forEach Mutation Panic
An unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected.
References
- github.com/advisories/GHSA-fpjq-c37h-cqcv
- github.com/kyverno/kyverno
- github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cb
- github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3
- github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcv
- nvd.nist.gov/vuln/detail/CVE-2026-41485
Code Behaviors & Features
Detect and mitigate CVE-2026-41485 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →