VYPR
← All advisories
High severityNVD Advisory· Published Sep 18, 2023· Updated Sep 25, 2024

CVE-2023-32187

CVE-2023-32187

Description

An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated remote attacker can exhaust TLS certificate SAN limits on K3s, causing a denial of service (DoS).

Vulnerability

Overview

CVE-2023-32187 is a resource exhaustion vulnerability in SUSE's lightweight Kubernetes distribution, K3s. The root cause is a lack of limits or throttling when handling TLS Subject Alternative Name (SAN) entries. An attacker with network access to the K3s server's apiserver/supervisor port (TCP 6443) can perform a TLS handshake and force the server to add entries to the certificate's SAN list, a stuffing attack [3]. This continues until the certificate exceeds the maximum size allowed by TLS client implementations, such as OpenSSL, which raises an excessive message size error [3].

Exploitation

No authentication is required to exploit this vulnerability; only the ability to establish a TLS handshake with the targeted port (TCP 6443) [1][3]. This makes the attack surface broad, as any network-accessible K3s server is potentially vulnerable. The attacker repeatedly initiates TLS connections, each time padding the SAN list, gradually bloating the certificate. The process does not require any special privileges or prior access to the cluster [3].

Impact

Successful exploitation leads to a denial of service (DoS) condition. While the affected K3s server continues to operate, clients—including administrative tools like kubectl and new server or agent nodes—fail to establish new TLS connections [3]. This disrupts cluster management and scaling, effectively blocking legitimate administrative access and node joins until the issue is resolved.

Mitigation

SUSE has released fixed versions for all affected release lines: v1.24.17+k3s1, v1.25.13+k3s1, v1.26.8+k3s1, v1.27.5+k3s1, and v1.28.1+k3s1 [2][3]. Users on K3s 1.27 or earlier must also add the configuration parameter tls-san-security: true to enable enhanced security for the supervisor's TLS SAN list; this option defaults to true starting with K3s 1.28 [3]. A mitigation is available for those who cannot upgrade immediately: freezing the certificate via kubectl annotate secret -n kube-system k3s-serving listener.cattle.io/static=true, though this prevents automatic renewal and addition of new SAN entries [3].

References
  1. GitHub - k3s-io/k3s: Lightweight Kubernetes
  2. NVD - CVE-2023-32187
  3. K3s apiserver port is vulnerable to unauthenticated remote denial-of-service (DoS) attack via TLS SAN stuffing attack

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/k3s-io/k3sGo
< 1.24.171.24.17
github.com/k3s-io/k3sGo
>= 1.25.0, < 1.25.131.25.13
github.com/k3s-io/k3sGo
>= 1.26.0, < 1.26.81.26.8
github.com/k3s-io/k3sGo
>= 1.27.0, < 1.27.51.27.5
github.com/k3s-io/k3sGo
>= 1.28.0, < 1.28.11.28.1

Affected products

12

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.