High severityNVD Advisory· Published Nov 14, 2023· Updated Feb 25, 2026

Kubernetes - Windows nodes - Insufficient input sanitization in in-tree storage plugin leads to privilege escalation

CVE-2023-5528

Description

A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kubernetes in-tree storage plugin on Windows nodes lacks input sanitization, allowing users with pod and PV creation privileges to escalate to admin.

Vulnerability

Overview

CVE-2023-5528 is a privilege escalation vulnerability in Kubernetes affecting Windows nodes. The root cause is insufficient input sanitization in the in-tree storage plugin used by the kubelet on Windows. When creating pods and persistent volumes (PVs), a user can inject malicious input that leads to arbitrary command execution with elevated privileges [4].

Exploitation

Prerequisites

An attacker must have the ability to create pods and persistent volumes on a Kubernetes cluster that includes Windows nodes. The vulnerability is only exploitable on clusters using the in-tree storage plugin for Windows, not on those using out-of-tree CSI drivers [1][4]. The attack does not require network access to the node itself, as the malicious PV creation occurs through the Kubernetes API.

Impact and

Severity

Successful exploitation allows an attacker to escalate from a standard user to administrator (SYSTEM) privileges on the Windows node. This can lead to full compromise of the node, including access to all workloads, secrets, and the ability to pivot to other cluster components. The CVSS 3.1 base score is 7.2 (HIGH), reflecting the need for high privileges to initiate the attack [4].

Mitigation

The vulnerability affects kubelet versions from v1.8.0 through v1.25.16, v1.26.11, v1.27.8, and v1.28.4. Patches were released on November 14, 2023, fixing the issue by replacing the unsafe mklink call with a Go library function [2][4]. Administrators should upgrade kubelet on Windows nodes to the fixed versions. No workarounds are available; clusters without Windows nodes are not impacted.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
k8s.io/kubernetesGo	>= 1.28.0, < 1.28.4	1.28.4
k8s.io/kubernetesGo	>= 1.27.0, < 1.27.8	1.27.8
k8s.io/kubernetesGo	>= 1.26.0, < 1.26.11	1.26.11
k8s.io/kubernetesGo	< 1.25.16	1.25.16

Affected products

144

osv-coords143 versions
pkg:apk/chainguard/argo-cd-2.7 pkg:apk/chainguard/argo-cd-2.7-compat pkg:apk/chainguard/argo-cd-2.7-repo-server pkg:apk/chainguard/argo-cd-2.8 pkg:apk/chainguard/argo-cd-2.8-compat pkg:apk/chainguard/argo-cd-2.8-repo-server pkg:apk/chainguard/argo-cd-2.9 pkg:apk/chainguard/argo-cd-2.9-compat pkg:apk/chainguard/argo-cd-2.9-repo-server pkg:apk/chainguard/argo-cd-fips-2.8 pkg:apk/chainguard/argo-cd-fips-2.8-compat pkg:apk/chainguard/argo-cd-fips-2.8-repo-server pkg:apk/chainguard/argo-cd-fips-2.9 pkg:apk/chainguard/argo-cd-fips-2.9-compat pkg:apk/chainguard/argo-cd-fips-2.9-repo-server pkg:apk/chainguard/aws-ebs-csi-driver pkg:apk/chainguard/aws-ebs-csi-driver-1.18 pkg:apk/chainguard/aws-ebs-csi-driver-1.19 pkg:apk/chainguard/aws-efs-csi-driver pkg:apk/chainguard/aws-efs-csi-driver-fips pkg:apk/chainguard/aws-efs-csi-driver-fips-1.6 pkg:apk/chainguard/calico pkg:apk/chainguard/calico-apiserver pkg:apk/chainguard/calico-app-policy pkg:apk/chainguard/calico-cni pkg:apk/chainguard/calico-cni-compat pkg:apk/chainguard/calico-cni-fips-3.25-compat pkg:apk/chainguard/calico-cni-fips-compat pkg:apk/chainguard/calicoctl pkg:apk/chainguard/calicoctl-fips pkg:apk/chainguard/calicoctl-fips-3.25 pkg:apk/chainguard/calico-felix pkg:apk/chainguard/calico-fips pkg:apk/chainguard/calico-fips-3.25 pkg:apk/chainguard/calico-fips-apiserver pkg:apk/chainguard/calico-fips-apiserver-3.25 pkg:apk/chainguard/calico-fips-app-policy pkg:apk/chainguard/calico-fips-app-policy-3.25 pkg:apk/chainguard/calico-fips-cni pkg:apk/chainguard/calico-fips-cni-3.25 pkg:apk/chainguard/calico-fips-felix pkg:apk/chainguard/calico-fips-felix-3.25 pkg:apk/chainguard/calico-fips-key-cert-provisioner pkg:apk/chainguard/calico-fips-kube-controllers pkg:apk/chainguard/calico-fips-kube-controllers-3.25 pkg:apk/chainguard/calico-fips-node pkg:apk/chainguard/calico-fips-node-3.25 pkg:apk/chainguard/calico-fips-pod2daemon pkg:apk/chainguard/calico-fips-pod2daemon-3.25 pkg:apk/chainguard/calico-fips-typha-client pkg:apk/chainguard/calico-fips-typha-client-3.25 pkg:apk/chainguard/calico-fips-typhad pkg:apk/chainguard/calico-fips-typhad-3.25 pkg:apk/chainguard/calico-key-cert-provisioner pkg:apk/chainguard/calico-kube-controllers pkg:apk/chainguard/calico-node pkg:apk/chainguard/calico-pod2daemon pkg:apk/chainguard/calico-pod2daemon-flexvol-compat pkg:apk/chainguard/calico-typha-client pkg:apk/chainguard/calico-typhad pkg:apk/chainguard/cluster-autoscaler-1.25 pkg:apk/chainguard/cluster-autoscaler-1.25-compat pkg:apk/chainguard/cluster-autoscaler-1.27 pkg:apk/chainguard/cluster-autoscaler-1.27-compat pkg:apk/chainguard/cluster-autoscaler-1.28 pkg:apk/chainguard/cluster-autoscaler-1.28-compat pkg:apk/chainguard/cluster-autoscaler-fips-1.25 pkg:apk/chainguard/cluster-autoscaler-fips-1.25-compat pkg:apk/chainguard/cluster-autoscaler-fips-1.28 pkg:apk/chainguard/cluster-autoscaler-fips-1.28-compat pkg:apk/chainguard/ip-masq-agent pkg:apk/chainguard/kubeflow-pipelines pkg:apk/chainguard/kubeflow-pipelines-apiserver pkg:apk/chainguard/kubeflow-pipelines-cache-deployer pkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compat pkg:apk/chainguard/kubeflow-pipelines-cache_server pkg:apk/chainguard/kubeflow-pipelines-frontend pkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-config pkg:apk/chainguard/kubeflow-pipelines-metadata-writer pkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compat pkg:apk/chainguard/kubeflow-pipelines-persistence_agent pkg:apk/chainguard/kubeflow-pipelines-scheduledworkflow pkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controller pkg:apk/chainguard/kubernetes-csi-driver-hostpath pkg:apk/chainguard/kubernetes-dns-node-cache pkg:apk/chainguard/nodetaint pkg:apk/chainguard/prometheus-adapter pkg:apk/chainguard/sparkctl pkg:apk/chainguard/spark-operator pkg:apk/chainguard/spark-operator-oci-entrypoint pkg:apk/wolfi/argo-cd-2.7 pkg:apk/wolfi/argo-cd-2.7-compat pkg:apk/wolfi/argo-cd-2.7-repo-server pkg:apk/wolfi/argo-cd-2.8 pkg:apk/wolfi/argo-cd-2.8-compat pkg:apk/wolfi/argo-cd-2.8-repo-server pkg:apk/wolfi/argo-cd-2.9 pkg:apk/wolfi/argo-cd-2.9-compat pkg:apk/wolfi/argo-cd-2.9-repo-server pkg:apk/wolfi/aws-ebs-csi-driver pkg:apk/wolfi/aws-efs-csi-driver pkg:apk/wolfi/calico pkg:apk/wolfi/calico-apiserver pkg:apk/wolfi/calico-app-policy pkg:apk/wolfi/calico-cni pkg:apk/wolfi/calico-cni-compat pkg:apk/wolfi/calicoctl pkg:apk/wolfi/calico-felix pkg:apk/wolfi/calico-key-cert-provisioner pkg:apk/wolfi/calico-kube-controllers pkg:apk/wolfi/calico-node pkg:apk/wolfi/calico-pod2daemon pkg:apk/wolfi/calico-pod2daemon-flexvol-compat pkg:apk/wolfi/calico-typha-client pkg:apk/wolfi/calico-typhad pkg:apk/wolfi/cluster-autoscaler-1.25 pkg:apk/wolfi/cluster-autoscaler-1.25-compat pkg:apk/wolfi/cluster-autoscaler-1.27 pkg:apk/wolfi/cluster-autoscaler-1.27-compat pkg:apk/wolfi/cluster-autoscaler-1.28 pkg:apk/wolfi/cluster-autoscaler-1.28-compat pkg:apk/wolfi/ip-masq-agent pkg:apk/wolfi/kubeflow-pipelines pkg:apk/wolfi/kubeflow-pipelines-apiserver pkg:apk/wolfi/kubeflow-pipelines-cache-deployer pkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compat pkg:apk/wolfi/kubeflow-pipelines-cache_server pkg:apk/wolfi/kubeflow-pipelines-frontend pkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-config pkg:apk/wolfi/kubeflow-pipelines-metadata-writer pkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compat pkg:apk/wolfi/kubeflow-pipelines-persistence_agent pkg:apk/wolfi/kubeflow-pipelines-scheduledworkflow pkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controller pkg:apk/wolfi/kubernetes-csi-driver-hostpath pkg:apk/wolfi/kubernetes-dns-node-cache pkg:apk/wolfi/nodetaint pkg:apk/wolfi/prometheus-adapter pkg:apk/wolfi/sparkctl pkg:apk/wolfi/spark-operator pkg:apk/wolfi/spark-operator-oci-entrypoint pkg:golang/k8s.io/kubernetes pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0+ 142 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 2.9.9-r1
- (no CPE)range: < 1.25.0-r2
- (no CPE)range: < 1.18.0-r9
- (no CPE)range: < 1.19.0-r9
- (no CPE)range: < 1.7.1-r1
- (no CPE)range: < 1.7.0-r5
- (no CPE)range: < 1.6.0-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.25.2-r5
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.25.3-r7
- (no CPE)range: < 1.28.0-r6
- (no CPE)range: < 1.28.0-r6
- (no CPE)range: < 2.9.3-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.22.28-r1
- (no CPE)range: < 0.0.4-r8
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.25.0-r2
- (no CPE)range: < 1.7.1-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 3.26.4-r1
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.25.3-r5
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.27.3-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 1.28.0-r7
- (no CPE)range: < 2.9.3-r4
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.22.28-r1
- (no CPE)range: < 0.0.4-r8
- (no CPE)range: < 0.11.2-r1
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: < 1.1.27-r17
- (no CPE)range: >= 1.28.0, < 1.28.4
- (no CPE)range: < 0.0.20250807T150727-1.1
Kubernetes/kubeletv5
Range: v1.28.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.015
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000