NIXPKGS-2026-0817

GitHub issue published 2 months, 4 weeks ago

Permalink CVE-2026-32241

7.5 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored package cni-plugin-flannel 2 months, 4 weeks ago
@LeSuisse deleted maintainer @offlinehacker 2 months, 4 weeks ago maintainer.delete
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection

Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.

References

https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2 x_refsource_CONFIRM
https://github.com/flannel-io/flannel/releases/tag/v0.28.2 x_refsource_MISC

Affected products

flannel

==< 0.28.2

Matching in nixpkgs

pkgs.flannel

Network fabric for containers, designed for Kubernetes

nixos-unstable 0.28.1
- nixpkgs-unstable 0.28.1
- nixos-unstable-small 0.28.1

Ignored packages (1)

pkgs.cni-plugin-flannel

Network fabric for containers designed to work in conjunction with flannel

nixos-unstable 1.9.0-flannel1
- nixpkgs-unstable 1.9.0-flannel1
- nixos-unstable-small 1.9.0-flannel1

Package maintainers

@johanot Johan Thomsen <write@ownrisk.dk>

Advisory: https://github.com/flannel-io/flannel/security/advisories/GHSA-vchx-5pr6-ffx2