📄 Cilium 1.18.5 Traffic Bypass

🗓️ 24 Feb 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 163 Views

Assess Cilium 1.18 vulnerability enabling cross-node Pod traffic to bypass host firewall and encryption.

Reporter	Title	Published	Views	Family All 124
ATTACKERKB	CVE-2026-26963	19 Feb 202623:38	–	attackerkb
CNNVD	Cilium 安全漏洞	20 Feb 202600:00	–	cnnvd
CVE	CVE-2026-26963	19 Feb 202623:38	–	cve
Cvelist	CVE-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	19 Feb 202623:38	–	cvelist
Github Security Blog	Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	19 Feb 202619:39	–	github
NVD	CVE-2026-26963	20 Feb 202600:16	–	nvd
OSV	BIT-CILIUM-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	21 Feb 202608:36	–	osv
OSV	BIT-CILIUM-OPERATOR-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	21 Feb 202608:36	–	osv
OSV	BIT-HUBBLE-RELAY-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	21 Feb 202608:40	–	osv
OSV	CVE-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled	19 Feb 202623:38	–	osv

=============================================================================================================================================
    | # Title     : Cilium 1.18.0–1.18.5 eBPF Datapath Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://cilium.io/                                                                                                          |
    =============================================================================================================================================
    
    [+] Summary    : This Python script performs a comprehensive node-level analysis to assess the Cilium 1.18.0–1.18.5 vulnerability 
                     that allows cross-node Pod traffic to bypass Host Firewall policies when Native Routing, WireGuard, and Node Encryption are enabled.
    				 
    [+] POC   :  
    
    #!/usr/bin/env python3
    
    import subprocess
    import re
    import os
    
    CILIUM_REPO = "/tmp/cilium_repo"
    VERSION_A = "v1.18.5"
    VERSION_B = "v1.18.6"
    
    def run(cmd):
        try:
            return subprocess.check_output(cmd, shell=True).decode()
        except:
            return ""
    
    def section(title):
        print("\n" + "="*60)
        print(title)
        print("="*60)
    
    def check_version():
        section("CILIUM VERSION")
        out = run("cilium version")
        print(out)
        match = re.search(r"v(\d+\.\d+\.\d+)", out)
        return match.group(1) if match else "Unknown"
    
    def check_config():
        section("CILIUM CONFIG")
        print(run("cilium config"))
    
    def check_wireguard():
        section("WIREGUARD STATUS")
        print(run("cilium status | grep -i wireguard"))
    
    def check_bpf_attach_points():
        section("BPF ATTACH POINTS")
        print(run("bpftool net attach show"))
    
    def check_bpf_programs():
        section("LOADED BPF PROGRAMS")
        print(run("bpftool prog show | grep cilium"))
    
    def check_bpf_maps():
        section("BPF MAPS")
        print(run("bpftool map show | grep cilium"))
    
    def dump_policy_map():
        section("POLICY MAP DUMP")
        print(run("bpftool map dump name cilium_policy 2>/dev/null"))
    
    def clone_repo():
        section("CLONING CILIUM SOURCE")
        if not os.path.exists(CILIUM_REPO):
            run(f"git clone https://github.com/cilium/cilium.git {CILIUM_REPO}")
    
    def diff_datapath():
        section("DIFF DATAPATH BETWEEN 1.18.5 AND 1.18.6")
    
        os.chdir(CILIUM_REPO)
    
        run(f"git checkout {VERSION_A}")
        run("cp -r bpf /tmp/bpf_a")
    
        run(f"git checkout {VERSION_B}")
        run("cp -r bpf /tmp/bpf_b")
    
        diff = run("diff -ru /tmp/bpf_a /tmp/bpf_b | grep -E 'bpf_host|bpf_wireguard|policy|nodeport'")
    
        print(diff if diff else "No relevant datapath diff found.")
    
    def analyze_root_cause(version):
        section("ROOT CAUSE ANALYSIS")
    
        if version.startswith("1.18.") and version <= "1.18.5":
            print("Version within vulnerable range.")
            print("""
    Likely Root Cause:
    - WireGuard decrypt path reinjects packet
    - Host firewall hook not triggered
    - Identity context not revalidated
    - Policy map lookup skipped or misordered
    """)
        else:
            print("Version likely patched (>= 1.18.6).")
            print("""
    Patch likely:
    - Reordered host firewall hook
    - Ensured policy lookup after decrypt
    - Fixed identity propagation
    """)
    
    def main():
        version = check_version()
        check_config()
        check_wireguard()
        check_bpf_attach_points()
        check_bpf_programs()
        check_bpf_maps()
        dump_policy_map()
        clone_repo()
        diff_datapath()
        analyze_root_cause(version)
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

24 Feb 2026 00:00Current

5.6Medium risk

Vulners AI Score5.6

CVSS 3.15.4 - 6.1

EPSS0.00006

SSVC