Moderate severityNVD Advisory· Published Oct 30, 2023· Updated Jun 12, 2025
Windows kube-proxy LoadBalancer contention
CVE-2021-25736
Description
Kube-proxy on Windows can unintentionally forward traffic to local processes listening on the same port (“spec.ports[*].port”) as a LoadBalancer Service when the LoadBalancer controller does not set the “status.loadBalancer.ingress[].ip” field. Clusters where the LoadBalancer controller sets the “status.loadBalancer.ingress[].ip” field are unaffected.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
k8s.io/kubernetesGo | < 1.21 | 1.21 |
Affected products
1- Range: 0
Patches
1b014610de3e5Merge pull request #99958 from sbangari/winkubeproxylbservicefix
1 file changed · +3 −1
pkg/proxy/winkernel/proxier.go+3 −1 modified@@ -410,7 +410,9 @@ func (proxier *Proxier) newServiceInfo(port *v1.ServicePort, service *v1.Service } for _, ingress := range service.Status.LoadBalancer.Ingress { - info.loadBalancerIngressIPs = append(info.loadBalancerIngressIPs, &loadBalancerIngressInfo{ip: ingress.IP}) + if net.ParseIP(ingress.IP) != nil { + info.loadBalancerIngressIPs = append(info.loadBalancerIngressIPs, &loadBalancerIngressInfo{ip: ingress.IP}) + } } return info }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-35c7-w35f-xwghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25736ghsaADVISORY
- github.com/kubernetes/kubernetes/commit/b014610de3e5cf1bb0f7844b5758d29fc18b75e6ghsaWEB
- github.com/kubernetes/kubernetes/pull/99958ghsaWEB
- groups.google.com/g/kubernetes-security-announce/c/lIoOPObO51Q/m/O15LOazPAgAJghsaWEB
- security.netapp.com/advisory/ntap-20231221-0003ghsaWEB
- security.netapp.com/advisory/ntap-20231221-0003/mitre
News mentions
0No linked articles in our index yet.