High severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026
Kyverno Denial of Service via Context Variable Amplification in Policy Engine
CVE-2026-23881
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kyverno/kyvernoGo | < 1.15.3 | 1.15.3 |
github.com/kyverno/kyvernoGo | >= 1.16.0-rc.1, < 1.16.3 | 1.16.3 |
Affected products
50- osv-coords49 versionspkg:apk/chainguard/kyverno-1.13pkg:apk/chainguard/kyverno-1.14pkg:apk/chainguard/kyverno-background-controller-1.13pkg:apk/chainguard/kyverno-background-controller-1.14pkg:apk/chainguard/kyverno-background-controller-fips-1.13pkg:apk/chainguard/kyverno-background-controller-fips-1.14pkg:apk/chainguard/kyverno-background-controller-fips-1.16pkg:apk/chainguard/kyverno-cleanup-controller-1.13pkg:apk/chainguard/kyverno-cleanup-controller-1.14pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.13pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.14pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.16pkg:apk/chainguard/kyverno-cli-1.13pkg:apk/chainguard/kyverno-cli-1.14pkg:apk/chainguard/kyverno-cli-fips-1.13pkg:apk/chainguard/kyverno-cli-fips-1.14pkg:apk/chainguard/kyverno-cli-fips-1.16pkg:apk/chainguard/kyverno-fips-1.13pkg:apk/chainguard/kyverno-fips-1.14pkg:apk/chainguard/kyverno-fips-1.16pkg:apk/chainguard/kyverno-init-container-1.13pkg:apk/chainguard/kyverno-init-container-1.14pkg:apk/chainguard/kyverno-init-container-fips-1.13pkg:apk/chainguard/kyverno-init-container-fips-1.14pkg:apk/chainguard/kyverno-init-container-fips-1.16pkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/kyverno-reports-controller-1.13pkg:apk/chainguard/kyverno-reports-controller-1.14pkg:apk/chainguard/kyverno-reports-controller-fips-1.13pkg:apk/chainguard/kyverno-reports-controller-fips-1.14pkg:apk/chainguard/kyverno-reports-controller-fips-1.16pkg:apk/chainguard/reports-serverpkg:apk/wolfi/kyverno-1.13pkg:apk/wolfi/kyverno-1.14pkg:apk/wolfi/kyverno-background-controller-1.13pkg:apk/wolfi/kyverno-background-controller-1.14pkg:apk/wolfi/kyverno-cleanup-controller-1.13pkg:apk/wolfi/kyverno-cleanup-controller-1.14pkg:apk/wolfi/kyverno-cli-1.13pkg:apk/wolfi/kyverno-cli-1.14pkg:apk/wolfi/kyverno-init-container-1.13pkg:apk/wolfi/kyverno-init-container-1.14pkg:apk/wolfi/kyverno-notation-awspkg:apk/wolfi/kyverno-reports-controller-1.13pkg:apk/wolfi/kyverno-reports-controller-1.14pkg:bitnami/kyvernopkg:golang/github.com/kyverno/kyvernopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.13.6-r13+ 48 more
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 1.1-r33
- (no CPE)range: < 1.1-r32
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.16.3-r0
- (no CPE)range: < 0
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.1-r33
- (no CPE)range: < 1.13.6-r13
- (no CPE)range: < 1.14.5-r5
- (no CPE)range: < 1.15.3
- (no CPE)range: < 1.15.3
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-r2rj-wwm5-x6mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23881ghsaADVISORY
- github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850fghsax_refsource_MISCWEB
- github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7ghsax_refsource_MISCWEB
- github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.