CVE-2026-33726

{"id": "CVE-2026-33726", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-03-27T01:16:20.007", "references": [{"url": "https://docs.cilium.io/en/stable/network/concepts/routing/#routing", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://docs.cilium.io/en/stable/network/kubernetes/policy/#network-policy", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://docs.cilium.io/en/stable/network/servicemesh/l7-traffic-management", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://docs.cilium.io/en/stable/operations/performance/tuning/#ebpf-host-routing", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cilium/cilium/pull/44693", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/cilium/cilium/security/advisories/GHSA-hxv8-4j4r-cqgv", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers."}, {"lang": "es", "value": "Cilium es una soluci\u00f3n de red, observabilidad y seguridad con un plano de datos basado en eBPF. Antes de las versiones 1.17.14, 1.18.8 y 1.19.2, las pol\u00edticas de red de entrada (Ingress Network Policies) no se aplican para el tr\u00e1fico de pods a servicios L7 (Envoy, GAMMA) con un backend local en el mismo nodo, cuando el enrutamiento por punto final (Per-Endpoint Routing) est\u00e1 habilitado y el enrutamiento de host BPF (BPF Host Routing) est\u00e1 deshabilitado. El enrutamiento por punto final (Per-Endpoint Routing) est\u00e1 deshabilitado por defecto, pero se habilita autom\u00e1ticamente en implementaciones que utilizan IPAM en la nube, incluyendo Cilium ENI en EKS ('eni.enabled'), AlibabaCloud ENI ('alibabacloud.enabled'), Azure IPAM ('azure.enabled', pero no AKS BYOCNI), y algunas implementaciones de GKE ('gke.enabled'; las ofertas gestionadas como GKE Dataplane V2 pueden usar valores predeterminados diferentes). Normalmente no est\u00e1 habilitado en implementaciones con t\u00faneles, y las implementaciones en cadena no se ven afectadas. En la pr\u00e1ctica, Amazon EKS con modo Cilium ENI es probablemente el entorno afectado m\u00e1s com\u00fan. Las versiones 1.17.14, 1.18.8 y 1.19.2 contienen un parche. Actualmente no existe una soluci\u00f3n alternativa oficialmente verificada o completa para este problema. La \u00fanica opci\u00f3n ser\u00eda deshabilitar las rutas por punto final, pero esto probablemente causar\u00e1 interrupciones en las conexiones en curso, y posibles conflictos si se ejecuta en proveedores de la nube."}], "lastModified": "2026-04-01T15:53:30.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1544DC73-F250-4536-B6EB-DADBA95C83EC", "versionEndExcluding": "1.17.14"}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7695E23A-4AF0-44E0-8282-0E4435451C9C", "versionEndExcluding": "1.18.8", "versionStartIncluding": "1.18.0"}, {"criteria": "cpe:2.3:a:cilium:cilium:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D2F4891-29A2-4B8F-BE6E-900EB5DDCC0A", "versionEndExcluding": "1.19.2", "versionStartIncluding": "1.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}