CVE-2026-53716

ADVISORY - github

Summary

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Attacker hosts a gzip-bomb at a reachable URL
  • sha256 unset (optional field; check is post-decompression anyway)
  • No operator Wasm-URL allowlist (none exists in code)

Description

getFileFromGZ calls io.ReadAll on a raw gzip.Reader (httpfetcher.go:216) with no output bound, while the compressed input is capped at 256 MiB (httpfetcher.go:139). The bytes originate from a tenant-controlled EnvoyExtensionPolicy.spec.wasm[].code.http.url (envoyextensionpolicy.go:1077 → cache.go:248 → httpfetcher.go:147 → :233), so an untrusted tenant can point at a ~10 MiB gzip-of-zeros and force ~10 GiB allocation in the shared controller process. All candidate guards execute either before the body is buffered or after decompression. OOM-kills, restarts, re-reconciles same CR, crash-loops — persistent cross-tenant control-plane outage with PR:L/AC:L and scope change → HIGH despite availability-only.

EPSS Score: 0.00044 (0.141)

Common Weakness Enumeration (CWE)

ADVISORY - github

Memory Allocation with Excessive Size Value


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in