CVE-2026-49445
Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes, allowing a local attacker to access Envoy admin endpoints, expose TLS secrets, disrupt cluster traffic, or terminate Envoy. This issue is fixed in versions 1.17.14, 1.18.8, and 1.19.2.
Ver en NVDAnálisis
Cilium networking installations are vulnerable to local privilege escalation and data theft via a world-accessible Envoy admin socket. Attackers with access to a node or a compromised pod can expose TLS secrets, terminate Envoy processes, or disrupt cluster-wide traffic. Users should upgrade to Cilium 1.17.14, 1.18.8, or 1.19.2 immediately.
Roles relevantes
Severidad
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:HCWE-732EPSS
Sin puntaje EPSS aún (CVE muy reciente).
Descripción técnica
Cilium is a networking, observability, and security solution. Prior to 1.17.14, 1.18.8, and 1.19.2, when Cilium L7 functionality is enabled, the embedded or standalone Envoy instance creates a world-accessible admin.sock on cluster nodes, allowing a local attacker to access Envoy admin endpoints, expose TLS secrets, disrupt cluster traffic, or terminate Envoy. This issue is fixed in versions 1.17.14, 1.18.8, and 1.19.2.
Referencias
- https://github.com/cilium/cilium/commit/7bfbdd5c1be83d6c9ba3e089b4c804b6603505b6
- https://github.com/cilium/cilium/pull/44512
- https://github.com/cilium/cilium/releases/tag/v1.17.14
- https://github.com/cilium/cilium/releases/tag/v1.18.8
- https://github.com/cilium/cilium/releases/tag/v1.19.2
- https://github.com/cilium/cilium/security/advisories/GHSA-3fcv-jvfp-m4q9