CVE-2026-53717

ADVISORY - github

Summary

Vulnerability report without repro case. Repro case may be added later after harness is complete.

Preconditions (4):

  • Tenant can create EnvoyExtensionPolicy (baseline)
  • Controller has egress to attacker-controlled OCI registry
  • No registry allowlist (none exists in code)
  • Layer presents Docker/OCI media type

Description

At imagefetcher.go:287, make([]byte, h.Size) uses the attacker-controlled tar-header size; the LimitReader at :278 bounds bytes read from the stream but not the header-declared size returned by tr.Next() (a 512-byte header can claim a multi-TB entry via PAX/GNU encoding). Reached from untrusted tenant input via EnvoyExtensionPolicy spec.wasm[].code.image.url (envoyextensionpolicy.go:1157 → cache.go:262/299 → imagefetcher.go:218 → :287), and the allocation happens for every tar entry regardless of filename. The resulting Go runtime OOM throw is unrecoverable and, because the CRD persists, crash-loops the shared controller — single-request, non-volumetric, cluster-wide DoS.

EPSS Score: 0.00044 (0.141)

Common Weakness Enumeration (CWE)

ADVISORY - github

Memory Allocation with Excessive Size Value


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in