Listen to this Post
The vulnerability exists in the forEach mutation handler of Kyverno’s legacy engine. In pkg/engine/mutate/mutation.go, the `ForEach` function performs a bare type assertion on a map value: patcher := NewPatcher(fe["patchStrategicMerge"], fe["patchesJson6902"].(string)). When a forEach rule uses a `patchesJson6902` field containing a variable substitution that resolves to nil at runtime, such as {{ element.nonexistent }}, the type assertion `.(string)` on a nil interface triggers an unrecoverable Go panic: panic: interface conversion: interface {} is nil, not string. When a `mutateExisting` rule triggers, the admission controller creates an `UpdateRequest` resource that the background controller processes asynchronously. This resource survives controller restarts, re‑triggering the panic on every restart until the policy or `UpdateRequest` is deleted. The background controller processes `mutateExisting` rules in worker goroutines where `k8s.io/apimachinery/pkg/util/runtime.HandleCrash` catches panics but re‑panics by default, killing the process. The admission controller survives because Go’s `net/http` server absorbs panics in handler goroutines via defer recover(), though the connection is dropped. The vulnerable code was introduced in 10702.
dailycve:
Platform: Kyverno Engine
Version: v1.13.0–v1.17.1
Vulnerability : Type Assertion
Severity: High (CVSS:7.7)
date: 2026‑04‑24
Prediction: Patch 2026‑04‑24
What Undercode Say:
The panic originates in `mutation.go` line 81, where a type assertion fails. Attackers can exploit this by crafting a Policy or ClusterPolicy that triggers the panic, causing a persistent denial of service. The vulnerability is confined to the legacy engine; CEL‑based policies are unaffected.
Bash Commands:
Verify CrashLoopBackOff kubectl get pods -n kyverno -l app.kubernetes.io/component=background-controller Trigger admission panic kubectl create secret generic test-secret --from-literal=key=value
Exploit:
A Policy with a forEach rule containing a `patchesJson6902` field that uses a substitution resolving to nil, e.g., {{ element.nonexistent }}. This triggers a panic in the mutation handler, crashing the background controller into CrashLoopBackOff. For ClusterPolicy, the admission controller drops connections, blocking matching resource operations.
Protection:
Upgrade to Kyverno versions 1.17.2 or 1.16.4. Alternatively, restrict creation of Policies or ClusterPolicies to trusted users. Avoid using variable substitutions that may resolve to nil in forEach mutation rules.
Impact:
Persistent denial of service of cluster‑wide Kyverno controllers. A user with Policy creation privileges can crash the background controller, halting background processing across all namespaces. With ClusterPolicy, the admission block extends cluster‑wide. The crash loop persists until the policy is deleted.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

