Unchecked Type Assertion in Kyverno Policy Engine Causes Service Disruption
CVE-2026-41485

7.7HIGH

Key Information:

Vendor

Kyverno

Status
Kyverno
Vendor
CVE Published:
24 April 2026

What is CVE-2026-41485?

Kyverno, a policy engine tailored for cloud native platform engineering, is prone to a vulnerability due to an unchecked type assertion in the 'forEach' mutation handler. This flaw empowers users with appropriate permissions to create a Policy or ClusterPolicy to inadvertently crash the background controller, resulting in a persistent CrashLoopBackOff state. Additionally, this issue hampers the admission controller, leading to dropped connections and interference with resource operations until the problematic policy is removed. It's crucial to note that this vulnerability affects only the legacy engine, with CEL-based policies remaining unaffected. Users should upgrade to versions 1.17.2 or 1.16.4 to mitigate these risks.

Affected Version(s)

kyverno < 1.16.4 < 1.16.4

kyverno >= 1.17.0-rc1, < 1.17.2 < 1.17.0-rc1, 1.17.2

References

https://github.com/kyverno/kyverno/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/kyverno/kyverno/commit/76c8fdbe8732872...
x_refsource_MISC
https://github.com/kyverno/kyverno/commit/80e728c2283a0c6...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.