CVE-2026-23881 HIGH

CVE-2026-23881: Kyverno Denial of Service via Context Variable Amplification in Policy Engine

Vendor Kyverno
Product kyverno
Weakness CWE-770 · Uncontrolled resource consumption
Published January 27, 2026
Last update January 27, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Key dates

02Disclosure timeline

January 27, 2026 CVE published
January 27, 2026 Record updated