CVE-2026-53716
ADVISORY - githubSummary
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
- Tenant can create EnvoyExtensionPolicy (baseline)
- Attacker hosts a gzip-bomb at a reachable URL
- sha256 unset (optional field; check is post-decompression anyway)
- No operator Wasm-URL allowlist (none exists in code)
Description
getFileFromGZ calls io.ReadAll on a raw gzip.Reader (httpfetcher.go:216) with no output bound, while the compressed input is capped at 256 MiB (httpfetcher.go:139). The bytes originate from a tenant-controlled EnvoyExtensionPolicy.spec.wasm[].code.http.url (envoyextensionpolicy.go:1077 → cache.go:248 → httpfetcher.go:147 → :233), so an untrusted tenant can point at a ~10 MiB gzip-of-zeros and force ~10 GiB allocation in the shared controller process. All candidate guards execute either before the body is buffered or after decompression. OOM-kills, restarts, re-reconciles same CR, crash-loops — persistent cross-tenant control-plane outage with PR:L/AC:L and scope change → HIGH despite availability-only.
Common Weakness Enumeration (CWE)
Memory Allocation with Excessive Size Value
GitHub
2.8