CVE-2019-9946
Description
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, the HostPort/portmap rule could match incoming traffic even if there were better fitting, more specific service definition rules like NodePorts later in the chain. The issue is fixed in CNI 0.7.5 and Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CNI portmap plugin in Kubernetes improperly prepends iptables rules, allowing HostPort traffic to bypass more specific service rules; fixed in CNI 0.7.5 and Kubernetes 1.11.9+.
Vulnerability
The CNI portmap plugin (versions prior to 0.7.5) used in Kubernetes inserts iptables NAT rules at the front of the chain, taking precedence over the KUBE-SERVICES chain. This misconfiguration allows incoming traffic matching a HostPort to bypass more specific service rules like NodePorts. The issue affects CNI portmap before 0.7.5, which is embedded in Kubernetes releases before 1.11.9, 1.12.7, 1.13.5, and 1.14.0 [1][2].
Exploitation
An attacker can send network traffic to a HostPort assigned to a pod; if there are also service rules (e.g., NodePort) that would normally match more specifically, the portmap rule incorrectly takes precedence due to its position at the front of the chain. This can be exploited by any remote attacker able to reach the node's IP and port, without requiring authentication, as the rule misordering occurs at the iptables level. The issue was identified with kube-proxy in IPVS mode, but other configurations using the CNI portmap plugin may also be vulnerable [2].
Impact
Successful exploitation allows an attacker to bypass intended service network policies, potentially reaching a pod's HostPort instead of a more restricted service endpoint. This can lead to unauthorized access to services running on the pod, information disclosure, or further compromise depending on the pod's functionality. The attacker gains network access at the same privilege level as the host's networking, potentially intercepting or redirecting traffic meant for NodePort services [2].
Mitigation
Upgrade the CNI portmap plugin to version 0.7.5 or later, which appends rather than prepends iptables rules, ensuring KUBE-SERVICES rules are evaluated first [2]. For Kubernetes, upgrade to versions 1.11.9, 1.12.7, 1.13.5, or 1.14.0 [2]. Red Hat Enterprise Linux 7 Extras provides an updated containernetworking-plugins package to v0.7.5 [1]. No workaround other than upgrading is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: v0.13.1-dev, v0.17.0, v0.6.0, …
- Range: <=0.7.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- access.redhat.com/errata/RHBA-2019:0862mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FCN66VYB3XS76SYH567SO7N3I254JOCT/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGOOWAELGH3F7OXRBPH3HCNZELNLXYTW/mitrevendor-advisoryx_refsource_FEDORA
- github.com/containernetworking/plugins/pull/269mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20190416-0002/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.