CVE-2026-23881

HighPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0006 19.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23881 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Kyverno Kyverno. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching to Kyverno versions 1.16.3 or 1.15.3 directly eliminates the unbounded memory consumption vulnerability in the policy engine.

SC-6 Resource Availability good match

prevent

Protects memory resource availability by implementing controls to prevent depletion from exponentially amplified string data in crafted policies.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection limits the effects of memory exhaustion attacks triggered by malicious policy processing.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables direct DoS via crafted input to exhaust application resources in the Kyverno policy engine (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting…

policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Deeper analysisAI

CVE-2026-23881 is a vulnerability in Kyverno, a policy engine for cloud native platform engineering teams, affecting versions prior to 1.16.3 and 1.15.3. It stems from unbounded memory consumption (CWE-770) in Kyverno's policy engine, where users can craft policies that exponentially amplify string data through context variables, leading to denial of service. The issue carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and was published on 2026-01-27.

Attackers require low privileges, specifically policy creation permissions (PR:L), to exploit the vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation changes scope (S:C) and achieves high-impact denial of service (A:H) by consuming excessive memory, potentially crashing the policy engine without affecting confidentiality or integrity.

Kyverno addresses the vulnerability with patches in versions 1.16.3 and 1.15.3. Mitigation details are available in the GitHub security advisory (GHSA-r2rj-wwm5-x6mq) and the corresponding fix commits (7a651be3a8c78dcabfbf4178b8d89026bf3b850f and f5617f60920568a301740485472bf704892175b7).