CVE-2026-41485
Description
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kyverno/kyvernoGo | >= 1.13.0, < 1.16.4 | 1.16.4 |
github.com/kyverno/kyvernoGo | >= 1.17.0-rc.1, < 1.17.2 | 1.17.2 |
Affected products
47- osv-coords45 versionspkg:apk/chainguard/kyverno-1.16pkg:apk/chainguard/kyverno-1.17pkg:apk/chainguard/kyverno-background-controller-1.16pkg:apk/chainguard/kyverno-background-controller-1.17pkg:apk/chainguard/kyverno-background-controller-fips-1.16pkg:apk/chainguard/kyverno-background-controller-fips-1.17pkg:apk/chainguard/kyverno-cleanup-controller-1.16pkg:apk/chainguard/kyverno-cleanup-controller-1.17pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.16pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.17pkg:apk/chainguard/kyverno-cli-1.16pkg:apk/chainguard/kyverno-cli-1.17pkg:apk/chainguard/kyverno-cli-fips-1.16pkg:apk/chainguard/kyverno-cli-fips-1.17pkg:apk/chainguard/kyverno-fips-1.16pkg:apk/chainguard/kyverno-fips-1.17pkg:apk/chainguard/kyverno-init-container-1.16pkg:apk/chainguard/kyverno-init-container-1.17pkg:apk/chainguard/kyverno-init-container-fips-1.16pkg:apk/chainguard/kyverno-init-container-fips-1.17pkg:apk/chainguard/kyverno-notation-awspkg:apk/chainguard/kyverno-notation-aws-fipspkg:apk/chainguard/kyverno-readiness-checker-1.17pkg:apk/chainguard/kyverno-readiness-checker-fips-1.17pkg:apk/chainguard/kyverno-reports-controller-1.16pkg:apk/chainguard/kyverno-reports-controller-1.17pkg:apk/chainguard/kyverno-reports-controller-fips-1.16pkg:apk/chainguard/kyverno-reports-controller-fips-1.17pkg:apk/chainguard/reports-serverpkg:apk/wolfi/kyverno-1.16pkg:apk/wolfi/kyverno-1.17pkg:apk/wolfi/kyverno-background-controller-1.16pkg:apk/wolfi/kyverno-background-controller-1.17pkg:apk/wolfi/kyverno-cleanup-controller-1.16pkg:apk/wolfi/kyverno-cleanup-controller-1.17pkg:apk/wolfi/kyverno-cli-1.16pkg:apk/wolfi/kyverno-cli-1.17pkg:apk/wolfi/kyverno-init-container-1.16pkg:apk/wolfi/kyverno-init-container-1.17pkg:apk/wolfi/kyverno-notation-awspkg:apk/wolfi/kyverno-readiness-checker-1.17pkg:apk/wolfi/kyverno-reports-controller-1.16pkg:apk/wolfi/kyverno-reports-controller-1.17pkg:bitnami/kyvernopkg:golang/github.com/kyverno/kyverno
< 1.16.4-r1+ 44 more
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.1-r52
- (no CPE)range: < 1.1-r46
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.1-r52
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4-r1
- (no CPE)range: < 1.17.2-r1
- (no CPE)range: < 1.16.4
- (no CPE)range: >= 1.13.0, < 1.16.4
Patches
Vulnerability mechanics
References
5- github.com/kyverno/kyverno/commit/76c8fdbe87328722e099e1fd44c3f21c9f7809cbnvdPatchWEB
- github.com/kyverno/kyverno/commit/80e728c2283a0c65e5adb02d8a907106e6ebe7e3nvdPatchWEB
- github.com/kyverno/kyverno/security/advisories/GHSA-fpjq-c37h-cqcvnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-fpjq-c37h-cqcvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41485ghsaADVISORY
News mentions
0No linked articles in our index yet.