VYPR
High severity7.7NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-41485

CVE-2026-41485

Description

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine, and CEL-based policies are unaffected. Versions 1.17.2 and 1.16.4 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/kyverno/kyvernoGo
>= 1.13.0, < 1.16.41.16.4
github.com/kyverno/kyvernoGo
>= 1.17.0-rc.1, < 1.17.21.17.2

Affected products

47

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.