CVE-2024-42488

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.14.14 and 1.15.8, a race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies...

GO-2025-3415 DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium

DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium...

GHSA-9M5P-C77C-F9J7 DoS in Cilium agent DNS proxy from crafted DNS responses

Impact In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic ...

DoS in Cilium agent DNS proxy from crafted DNS responses

Impact In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster. For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic ...

CVE-2025-23028 DoS in Cilium agent DNS proxy from crafted DNS responses

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an...

CVE-2025-23028 DoS in Cilium agent DNS proxy from crafted DNS responses

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. A denial of service vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an...

GO-2024-3072 Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium...

GHSA-Q7W8-72MR-VPGW Policy bypass for Host Firewall policy due to race condition in Cilium agent

Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. Patches This issue was fixed in...

Policy bypass for Host Firewall policy due to race condition in Cilium agent

Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. Patches This issue was fixed in...

Denial Of Service (DoS)

github.com/cilium/cilium is vulnerable to Denial of Service DoS. The vulnerability is due to a lack of checks to confirm if the L7 proxy is enabled or disabled before processing the proxyVisibility annotations. When the L7 proxy is disabled, any workload with these annotations can crash the Ciliu...

CVE-2023-41332

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In Cilium clusters where Cilium's Layer 7 proxy has been disabled, creating workloads with policy.cilium.io/proxy-visibility annotations in Cilium = v1.13 or io.cilium.proxy-visibility annotations in Cilium...

Design/Logic Flaw

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the cilium-secrets namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug...

CVE-2023-29002 Debug mode leaks confidential data in Cilium

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. When run in debug mode, Cilium will log the contents of the cilium-secrets namespace. This could include data such as TLS private keys for Ingress and GatewayAPI resources. An attacker with access to debug...

CVE-2023-29002

Cilium (eBPF-based dataplane) in debug mode logs contents of the cilium-secrets namespace, potentially exposing TLS private keys for Ingress/GatewayAPI. This could enable an attacker with access to debug output to intercept/modify traffic to the cluster. The issue occurs at agent restart, on secr...

CVE-2023-27593 cilium-agent container can access the host via `hostPath` mount

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.11.15, 1.12.8, and 1.13.1, an attacker with access to a Cilium agent pod can write to /opt/cni/bin due to a hostPath mount of that directory in the agent pod. By replacing the CNI binary...

cilium-agent container can access the host via `hostPath` mount

Impact An attacker with access to a Cilium agent pod can write to /opt/cni/bin due to a hostPath mount of that directory in the agent pod. By replacing the CNI binary with their own malicious binary and waiting for the creation of a new pod on the node, the attacker can gain access to the...