CVE-2026-53717
ADVISORY - githubSummary
Vulnerability report without repro case. Repro case may be added later after harness is complete.
Preconditions (4):
- Tenant can create EnvoyExtensionPolicy (baseline)
- Controller has egress to attacker-controlled OCI registry
- No registry allowlist (none exists in code)
- Layer presents Docker/OCI media type
Description
At imagefetcher.go:287, make([]byte, h.Size) uses the attacker-controlled tar-header size; the LimitReader at :278 bounds bytes read from the stream but not the header-declared size returned by tr.Next() (a 512-byte header can claim a multi-TB entry via PAX/GNU encoding). Reached from untrusted tenant input via EnvoyExtensionPolicy spec.wasm[].code.image.url (envoyextensionpolicy.go:1157 → cache.go:262/299 → imagefetcher.go:218 → :287), and the allocation happens for every tar entry regardless of filename. The resulting Go runtime OOM throw is unrecoverable and, because the CRD persists, crash-loops the shared controller — single-request, non-volumetric, cluster-wide DoS.
Common Weakness Enumeration (CWE)
Memory Allocation with Excessive Size Value
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in