CVE-2024-42486 – A vulnerability in Cilium's GatewayAPI controll... (How to Fix)

Q: What is the severity of CVE-2024-42486?

CVE-2024-42486 has a CVSS score of 5.4 (MEDIUM). A vulnerability in Cilium's GatewayAPI controller fails to properly propagate ReferenceGrant changes, allowing Gateway resources to retain access to secrets longer than intended or Routes to forward traffic to backends in other namespaces beyond their authorization. This affects Cilium deployments using Gateway API features on affected versions. Organizations running Cilium with Gateway API functionality are at risk.

📋 TL;DR

A vulnerability in Cilium's GatewayAPI controller fails to properly propagate ReferenceGrant changes, allowing Gateway resources to retain access to secrets longer than intended or Routes to forward traffic to backends in other namespaces beyond their authorization. This affects Cilium deployments using Gateway API features on affected versions. Organizations running Cilium with Gateway API functionality are at risk.

💻 Affected Systems

Products:

Cilium

Versions: 1.15.x branch prior to 1.15.8, 1.16.x branch prior to 1.16.1

Operating Systems: Linux (any with eBPF support)

Default Config Vulnerable: ✅ No

Notes: Only affects deployments using Cilium's Gateway API features with ReferenceGrants. Standard Cilium installations without Gateway API are not vulnerable.

📦 What is this software?

Cilium by Cilium

View all CVEs affecting Cilium →

Cilium by Cilium

View all CVEs affecting Cilium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive secrets across namespaces, potentially exposing credentials, certificates, or other confidential data to unauthorized Gateway resources, leading to data breaches or lateral movement.

🟠

Likely Case

Routes maintaining access to backend services in other namespaces after ReferenceGrant revocation, potentially violating namespace isolation and allowing unintended traffic flow between namespaces.

🟢

If Mitigated

Limited impact if proper network policies and RBAC controls are in place, but namespace isolation may still be compromised temporarily.

🌐 Internet-Facing: MEDIUM - Gateway resources often handle external traffic, but exploitation requires specific Gateway API configurations and access to modify ReferenceGrants.

🏢 Internal Only: MEDIUM - Internal clusters with Gateway API usage are vulnerable, but exploitation requires cluster-level access and specific configurations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires cluster access to modify ReferenceGrants and knowledge of Gateway API configurations. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Cilium v1.15.8 and v1.16.1

Vendor Advisory: https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm

Restart Required: Yes

Instructions:

1. Backup your Cilium configuration. 2. Upgrade Cilium to v1.15.8 (if on 1.15.x) or v1.16.1 (if on 1.16.x). 3. Restart Cilium components. 4. Verify Gateway API functionality post-upgrade.

🔧 Temporary Workarounds

Trigger ReferenceGrant Reconciliation

all

Modify any related Gateway/HTTPRoute/GRPCRoute/TCPRoute CRD to force reconciliation of ReferenceGrants

kubectl label <resource-type> <resource-name> trigger-reconciliation=true

🧯 If You Can't Patch

Implement strict network policies to limit cross-namespace traffic
Monitor and audit ReferenceGrant changes and Gateway API resource modifications

🔍 How to Verify

Check if Vulnerable:

Check Cilium version: kubectl get daemonset -n kube-system cilium -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -E '1\.15\.([0-7]|$)|1\.16\.0'

Check Version:

kubectl get daemonset -n kube-system cilium -o jsonpath='{.spec.template.spec.containers[0].image}'

Verify Fix Applied:

Confirm version is 1.15.8 or higher (for 1.15.x) or 1.16.1 or higher (for 1.16.x) and test ReferenceGrant revocation functionality

📡 Detection & Monitoring

Log Indicators:

Unexpected cross-namespace traffic patterns
Gateway resources accessing secrets after ReferenceGrant removal

Network Indicators:

Traffic flowing between namespaces without active ReferenceGrants

SIEM Query:

source="cilium-logs" AND ("ReferenceGrant" OR "GatewayAPI") AND ("failed propagation" OR "stale access")

📊 Metadata

CVE ID: CVE-2024-42486

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-200

Published: August 16, 2024

Last Updated: September 3, 2025

🔗 References

https://github.com/cilium/cilium/commit/ed3dfa0aab8b80f7e841a6d49d2a990ac2dca053 Patch
https://github.com/cilium/cilium/pull/34032 Patch
https://github.com/cilium/cilium/security/advisories/GHSA-vwf8-q6fw-4wcm Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42486, you might also want to check these: