CVE-2026-53715

ADVISORY - github

Summary

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Pod-network reachability to :18002 (no auth)
  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs
  • Read at :153 must overlap a write at :201/:209 (probabilistic, attacker controls both rates)

Description:

httpserver.go:153 reads s.mappingPath2Cache with no lock while httpserver.go:201/209 write it under s.Lock(); the struct uses a plain map. Writer is tenant-reachable via EnvoyExtensionPolicy translation, reader is pod-network-reachable on :18002 with per-request goroutines. Go's concurrent map read+write detection calls runtime.throw, which net/http's per-conn recover cannot catch, so the controller process exits — cross-tenant control-plane DoS. Capped at MEDIUM: DoS-only, k8s restarts pod, timing-dependent trigger.

EPSS Score: 0.0004 (0.126)

Common Weakness Enumeration (CWE)

ADVISORY - github

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

1.6

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.3medium