CVE-2026-24514
📋 TL;DR
This CVE describes a denial-of-service vulnerability in ingress-nginx's validating admission controller. Attackers can send large requests to exhaust memory, potentially causing the controller pod to be killed or the node to run out of memory. This affects Kubernetes clusters using ingress-nginx with the validating admission controller enabled.
💻 Affected Systems
- ingress-nginx
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for ingress-nginx controller, potentially affecting all ingress traffic to applications, and possible node-level resource exhaustion impacting other workloads on the same node.
Likely Case
Temporary disruption of ingress-nginx controller pod, causing brief interruption to ingress traffic until Kubernetes restarts the pod.
If Mitigated
Minimal impact with proper resource limits, monitoring, and request size restrictions in place.
🎯 Exploit Status
Exploitation requires ability to send requests to the validating admission controller endpoint, which typically requires some level of access to the Kubernetes cluster or network.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check upstream Kubernetes and ingress-nginx releases for specific version
Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/136680
Restart Required: Yes
Instructions:
1. Update ingress-nginx to patched version. 2. Update Kubernetes if vulnerability is in upstream component. 3. Restart ingress-nginx controller pods.
🔧 Temporary Workarounds
Disable validating admission controller
allTemporarily disable the vulnerable component if not required
kubectl edit deployment ingress-nginx-controller -n ingress-nginx
Remove or disable validating admission webhook configuration
Implement request size limits
allConfigure ingress-nginx to reject overly large requests
Add client_max_body_size directive in nginx configuration
🧯 If You Can't Patch
- Implement strict network policies to restrict access to admission controller endpoints
- Configure resource limits and requests for ingress-nginx pods to prevent node exhaustion
🔍 How to Verify
Check if Vulnerable:
Check if validating admission controller is enabled and review ingress-nginx version against patched releasesCheck Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Verify ingress-nginx version is updated and test with large requests to admission endpoint📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts for ingress-nginx pods
- Pod restart events for ingress-nginx controller
- Large request size logs in nginx access logs
Network Indicators:
- Unusually large requests to admission webhook endpoints
- High volume of requests to /validate path
SIEM Query:
source="kubernetes" pod="ingress-nginx*" (memory_usage>90% OR restart_count>2)