CVE-2026-41485
Published: 24 April 2026
Summary
CVE-2026-41485 is a high-severity Reachable Assertion (CWE-617) vulnerability in Kyverno Kyverno. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation by patching Kyverno to versions 1.17.2 or 1.16.4 directly fixes the unchecked type assertion in the forEach mutation handler.
Least privilege enforcement limits permissions to create Policy or ClusterPolicy resources, blocking low-privileged users from triggering the controller crash.
Information input validation on Policy and ClusterPolicy resources prevents malformed inputs from causing unchecked type assertion failures in the legacy engine.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables denial of service by allowing crafted Policy/ClusterPolicy resources to trigger a crash in the Kyverno controllers via unchecked type assertion, directly matching application/system exploitation for availability impact.
NVD Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash…
more
the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.
Deeper analysisAI
CVE-2026-41485 is a vulnerability in Kyverno, a policy engine for cloud native platform engineering teams, affecting versions prior to 1.17.2 and 1.16.4. It stems from an unchecked type assertion in the `forEach` mutation handler within the legacy engine, which can be triggered by specially crafted `Policy` or `ClusterPolicy` resources. CEL-based policies remain unaffected. The issue carries a CVSS v3.1 score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-617.
An attacker with permissions to create a `Policy` or `ClusterPolicy` can exploit this remotely over the network with low complexity. Successful exploitation crashes the cluster-wide background controller into a persistent CrashLoopBackOff state and causes the admission controller to drop connections, blocking all matching resource operations until the malicious policy is deleted. This results in high-impact availability disruption across the cluster scope with no confidentiality or integrity effects.
Mitigation is available via upgrades to Kyverno versions 1.17.2 or 1.16.4, which address the type assertion flaw through fixes detailed in GitHub commits 76c8fdbe87328722e099e1fd44c3f21c9f7809cb and 80e728c2283a0c65e5adb02d8a907106e6ebe7e3. The official advisory at GHSA-fpjq-c37h-cqcv provides further details on the patch and verification steps.
Details
- CWE(s)