Skip to content

Instantly share code, notes, and snippets.

@dims

dims/2026-04-23-dep-security-analysis-v2.md

Last active April 24, 2026 00:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dims/e7e55d375149d0c3b4d38f85c8cea172 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dims/e7e55d375149d0c3b4d38f85c8cea172 to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes dependency security analysis 2026-04-23 (43 packages)
Raw
2026-04-23-dep-security-analysis-v2.md

Kubernetes Dependency Security Analysis

Date: 2026-04-23
Packages analyzed: 43
Method: GitHub diff inspection, Go Vulnerability Database, CVE/GHSA search, K8s source grep for reachability

Executive Summary

Of 43 packages with version gaps, 2 require prompt action (live CVE or directly reachable hardening fix), 3 are medium priority (correctness/transitive security value), and the remainder are routine hygiene with no meaningful security delta. Two packages had known CVEs that are already patched in the currently pinned version.

Priority 1 — UPGRADE PROMPTLY

golang.org/x/net v0.52.0 → v0.53.0

CVE: CVE-2026-33814 (RESERVED — not yet in NVD; tracked at golang/go#78476)
Type: Remote DoS — HTTP/2 Transport hang
Fix commit: 1e71bd86 — "http2: prevent hanging Transport due to bad SETTINGS frame"

What it does: A peer that returns an HTTP/2 SETTINGS frame with MaxFrameSize=0 causes the Transport's writeFrames loop to hang indefinitely. This is a client-side hang — not a crash — but it ties up goroutines and connections permanently.

K8s reachability (VERY HIGH):

  • kube-apiserver HTTP/2 client paths: OIDC issuer JWKS fetches, admission webhook calls (MutatingAdmissionWebhook, ValidatingAdmissionWebhook), authentication/authorization webhook calls, aggregated API server proxying
  • kubelet → image registry (OCI registry over HTTP/2)
  • All client-go list/watch connections

Attack scenario: A malicious or misconfigured OIDC IdP, admission webhook, or aggregated API server responds with a SETTINGS frame containing MaxFrameSize=0, hanging the apiserver's connection to it indefinitely. Repeated exploits accumulate hung goroutines → memory pressure / slow DoS.

Secondary fix in this release: QUIC server panic on Retry packets with short connection IDs (golang/go#78292) — not applicable (k8s does not use QUIC/HTTP3) — not applicable (k8s does not use QUIC/HTTP3).

Action: ./hack/pin-dependency.sh golang.org/x/net v0.53.0 then ./hack/update-vendor.sh

github.com/fxamacker/cbor/v2 v2.9.0 → v2.9.1

CVE: None filed yet — but the PR descriptions are explicit about security-motivated hardening
Type: Parser hardening for the kube-apiserver CBOR deserializer

What changed (PR #750, PR #753, PR #757):

Fix What it prevents
Tag-1 epoch float overflow bounds check Sending CBOR tag(1) float(1e308) into any time.Time field overflows int64 seconds — now rejected with bounds error
RawMessage.MarshalCBOR returns clone Prevents external mutation of internal cborNil slice state
keyasint: reject integer keys > MaxInt64 Prevents integer overflow in struct-field matching
keyasint: string "1" no longer matches cbor:"1,keyasint" Eliminates type-confusion between string and integer keys

K8s reachability (HIGH): kube-apiserver sets DecTagOptional and IndefLengthAllowed on its CBOR decoder (staging/src/k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes/decode.go). This means:

  • An authenticated client can send Content-Type: application/cbor with a CBOR tag-1 extreme-float value in metav1.Time fields (e.g., objectMeta.creationTimestamp, managedFields[].time) → triggers the overflow path fixed by PR #753

The keyasint fixes are not reachable (no k8s Go type uses cbor:"...,keyasint" tags), but the time-tag overflow is live.

Action: ./hack/pin-dependency.sh github.com/fxamacker/cbor/v2 v2.9.1 then ./hack/update-vendor.sh

Priority 2 — MEDIUM (upgrade in next dep sweep)

go.etcd.io/etcd/{api,client/pkg,client,pkg,server}/v3 v3.6.8 → v3.6.10

CVEs (published 2026-03-20):

CVE GHSA Description K8s exploitable?
CVE-2026-33343 GHSA-rfx7-8w68-q57q Nested Txn bypasses RBAC (read/write any key) No — K8s does not use etcd's auth; apiserver handles auth
CVE-2026-33413 GHSA-q8m4-xhhv-38mg MemberList/Alarm/Lease/Compact accessible without auth No — same reason; but Compact DoS matters if etcd port is exposed

Why still upgrade:

  1. Read-index race fix (PR #21378) — race between read index and leader change can cause stale reads → apiserver list/watch inconsistency
  2. Stale-read fix from process pause (PR #21417) — linearizability regression, affects kube-apiserver
  3. Watch correctness fix (PR #21443) — revert of event-reuse between sync loops → incorrect watch events
  4. Transitive grpc fix — etcd v3.6.9 bumped grpc to 1.79.3 (CVE-2026-33186, CRITICAL 9.1 — but k8s's own grpc pin already has this)
  5. Transitive x/net fixGO-2026-4559, etcd v3.6.9 bumped x/net to 0.51+ (k8s's own x/net upgrade above covers this)

Action: Bump all 5 etcd modules together to v3.6.10.

github.com/container-storage-interface/spec v1.9.0 → v1.12.0

CVEs: None direct
Why upgrade: The jump from v1.9.0 raises transitive dependency floors:

Dep inside CSI spec v1.9.0 v1.10.0+ Security relevance
golang.org/x/net 0.10.0 0.23.0 Pre-CVE-2023-44487 (HTTP/2 Rapid Reset) → post-fix
google.golang.org/protobuf 1.32.0 1.33.0 GO-2024-2611 (protojson infinite loop)
google.golang.org/grpc 1.57.0 1.57.1 CVE-2023-44487 mitigation

Functional additions: SnapshotMetadata service (alpha, v1.10), VolumeGroupSnapshot GA (v1.11), ControllerModifyVolume GA (v1.12), GetSnapshot (alpha, v1.12). See releases.

Watch for: v1.10.0 is a breaking rebuild (protoc-gen-go struct layout change). Ensure no hand-written code depends on old struct layout in pkg/volume/csi/.

Action: Bump to v1.12.0. Run make test on the CSI-consuming kubelet volume path after vendor update.

github.com/go-openapi/swag v0.23.0 → v0.26.0

CVEs: None filed
Type: Panic fixes in name-mangler (supply-chain/tooling concern)

Real panic fixes:

  • v0.25.3: gatherInitialismMatches panics on inputs like LinkLocalIPs, NativeBaseURLs, SiteURLs — out-of-bounds array access (commit c65e5886)
  • v0.25.4: Overlapping pluralized initialisms (e.g., TTLss) trigger panic — OSS-Fuzz reported (commit 2bf1ed66)

K8s reachability: swag.ToGoName/ToVarName are not called at kube-apiserver runtime — only in code-generation tooling (kube-openapi-gen, deepcopy-gen). But crafted CRD names hitting the generator in CI could panic the codegen pipeline.

Other notable changes:

  • v0.24.0: Removed default mailru/easyjson dependency → cleaner dep graph
  • v0.25.1: Fixed data race in jsonutils lexer

Action: Bump to v0.26.0. Check import paths — v0.24 split package into submodules (jsonutils, yamlutils, mangling), but the swag facade package remains.

Priority 3 — LOW (batch in next routine dep PR)

github.com/moby/term v0.5.0 → v0.5.2 (bundles github.com/Azure/go-ansitermfaa5f7b0171c)

What changed: OSC string terminator parsing fix (PR #35) — parser previously transitioned to ground state on any 0x5C (\) byte inside an OSC string, leaking printable content from inside OSC wrappers to the terminal. Fixed to only accept proper ST (String Terminator) sequences.

K8s surface: kubectl exec, kubectl attach, kubectl run -it — a pod's stdout could emit crafted OSC escape sequences to the operator's terminal. The fix narrows what leaks. Not exploitable for privilege escalation.

golang.org/x/crypto v0.49.0 → v0.50.0

Fixes: SSH CBC minimum-packet-size floor not enforced (golang/go#78062); SSH signature algorithm preference ignored in pickSignatureAlgorithm (golang/go#78248).

K8s surface: SSH is only used in test/e2e/framework/ssh/ssh.go — e2e tests that SSH into GCE/AWS nodes. No production binary links x/crypto/ssh.

cyphar.com/go-pathrs v0.2.2 → v0.2.4

What changed: Additional procfs O_PATH resolver hardening — per-component fstype enforcement, stricter procfs-mount checks on older kernels. Defense against proc-mount overlay/mount-injection tricks (known container-escape pattern).

K8s surface: Indirect via github.com/cyphar/filepath-securejoin, used in container rootfs path resolution in kubelet. Defense-in-depth; no active CVE.

golang.org/x/sys v0.42.0 → v0.43.0

What changed (Windows-only): GetNamedSecurityInfo no longer panics (nil deref) when the returned security descriptor is nil. Previous code would crash when the target object has no security descriptor.

K8s surface: Windows nodes only. Could affect kubelet inspecting file/named-pipe security descriptors. Not remotely exploitable.

github.com/containerd/ttrpc v1.2.7 → v1.2.8

What changed: Nil-pointer panic fix (PR #223) — server crashes (nil deref) when a client sends a stream ID that the server doesn't recognize, racing with stream close. Qualifies as a DoS fix; no CVE filed.

K8s surface: Not a direct k8s dependency. Indirect through containerd/cadvisor. ttrpc is an intra-node privileged protocol (containerd ↔ shims over UDS). Not remotely exploitable.

github.com/prometheus/procfs v0.19.2 → v0.20.1

What changed: New bcachefs, NVMe namespace, and capabilities parsers; EINVAL handling in class_cooling_device/thermal sysfs readers; transitive x/sys and x/sync bumps.

K8s surface: Used in kubelet metrics collection, reading /proc and /sys. Inputs are kernel-owned. The new parsing code expands surface but practical risk is negligible.

github.com/spf13/pflag v1.0.9 → v1.0.10

Note: The one non-test code change replaces errors.Is(err, ErrHelp) with err == ErrHelp (loses wrapped ErrHelp detection — a minor regression for Go 1.12 compat). No security fix.

github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 → v2.29.0

What changed: PR #6447 adds WithDisableHTTPMethodOverride() option — allows server to reject X-HTTP-Method-Override header, which can be used to bypass WAF rules (POST + X-HTTP-Method-Override: DELETE bypasses a POST-only WAF rule). Default behavior unchanged — override still honored.

K8s surface: k8s does not import grpc-gateway/v2/runtime in any source file (confirmed by grep). This is a purely indirect dep through etcd/otel. No WAF-bypass exposure in kube-apiserver.

github.com/coredns/caddy v1.1.1 → v1.1.4

What changed: OSS-Fuzz #446778634NextBlock() infinite loop on unclosed Caddyfile block (PR #10); snippet import cycle guard (PR #8, PR #9). Parser hardening against malformed Corefiles.

K8s surface: Not vendored in k/k (confirmed: absent from k8s go.mod). Relevant for the CoreDNS addon image, not Kubernetes core. Track for the next CoreDNS image refresh.

github.com/golang-jwt/jwt/v5 v5.3.0 → v5.3.1

CVE status: CVE-2025-30204 / GO-2025-3553 / GHSA-mh63-6h87-95cp (ParseUnverified allocation DoS) was fixed in v5.2.2 — current v5.3.0 is already past it.

What changed in v5.3.1: New WithNotBeforeRequired parser option (PR #456); Token.Signature populated after sign (PR #417) and ParseUnverified (PR #414). No vulnerability fixes.

Optional hardening: Consider enabling WithNotBeforeRequired in client-go's OIDC verifier as a follow-up.

go-openapi/jsonpointer v0.21.0 → v0.23.1 and go-openapi/jsonreference v0.20.2 → v0.21.5

No CVEs, no panics. jsonpointer v0.23.1 fixes an Offset index calculation bug; fuzz testing added but found no bugs. jsonreference adds fuzz coverage. Both are correctness/hygiene only.

github.com/mailru/easyjson v0.7.7 → v0.9.2

5-year gap but effectively dead code in k8s. The easyjson fast-path in go-openapi/swag is only invoked if a type implements MarshalEasyJSON/UnmarshalEasyJSON — no k8s type does. v0.9.1 null-handling fixes (PR #407) and v0.9.2 NaN/Inf JSON fixes (PR #421) cannot be triggered from any k8s API path.

Priority 4 — NONE (no action needed)

Package Diff Reason no action needed
go.yaml.in/yaml/v2 v2.4.3 → v2.4.4 Single commit: replaces test harness (gopkg.in/check.v1 → stdlib). Zero production code change.
golang.org/x/text v0.35.0 → v0.36.0 Zero code change — only go.mod dep bump. All historical CVEs (CVE-2022-32149, CVE-2021-38561) fixed pre-0.3.8.
golang.org/x/tools v0.42.0 → v0.44.0 Dev tooling (gopls/analyzers) only. Multiple panic fixes but all in developer tooling, none in k8s runtime binaries.
golang.org/x/mod v0.33.0 → v0.35.0 go.mod go-directive bump only. No code changes.
golang.org/x/time v0.14.0 → v0.15.0 go-directive bump. No changes to rate/ package.
golang.org/x/term v0.41.0 → v0.42.0 go.mod dep bump only. No code changes.
golang.org/x/exp 944ab1f → 746e56fc go-directive bump + deprecated reflect.StringHeader removal. No behavioral changes in packages k8s uses.
golang.org/x/oauth2 v0.35.0 → v0.36.0 go-directive bump only. CredentialsFromJSON hardening already landed in v0.35.0 (current). CVE-2025-22868 fixed pre-v0.27.0.
google.golang.org/genproto/googleapis/{api,rpc} commits Auto-regenerated proto stubs. No k8s-referenced fields changed.
github.com/sirupsen/logrus v1.9.3 → v1.9.4 CVE-2025-65637 / GO-2025-4188 / GHSA-4f99-4q7p-p3gh already fixed in v1.9.3 (current). v1.9.4 is pure maintenance.
github.com/pquerna/cachecontrol v0.1.0 → v0.2.0 Adds stale-if-error directive parsing. go-oidc (the caller) never reads the new field. No security delta.
github.com/Microsoft/hnslib v0.1.2 → v0.1.3 Adds exported error constants and tests. No logic changes. Windows-only, zero Linux impact.
github.com/google/pprof 294ebfa → 545e8a4 6 commits, all GitHub Actions workflow bumps. Zero library code changed.
github.com/stretchr/objx v0.5.2 → v0.5.3 Test-only library. All changes in test code, CI, and go.mod. Not linked into any production binary.
github.com/cpuguy83/go-md2man/v2 v2.0.6 → v2.0.7 Build-time man-page generation only. Table rendering fix. Not shipped in any runtime binary.
github.com/chai2010/gettext-go v1.0.2 → v1.0.3 CR round-trip and plural-form correctness. Static translation catalogs — not attacker-controlled.
github.com/google/gnostic-models v0.7.0 → v0.7.1 Proto go_package option changed to absolute paths. No generated Go code changes semantically.
github.com/go-errors/errors v1.4.2 → v1.5.1 Adds Join/Unwrap stdlib parity helpers. Pure error-wrapping library, no attack surface.

Action Plan (ordered)

# 1. golang.org/x/net — CVE-2026-33814 HTTP/2 DoS (HIGH)
./hack/pin-dependency.sh golang.org/x/net v0.53.0
./hack/update-vendor.sh

# 2. fxamacker/cbor — time-tag overflow hardening (HIGH)
./hack/pin-dependency.sh github.com/fxamacker/cbor/v2 v2.9.1
./hack/update-vendor.sh

# 3. etcd — linearizability fixes + transitive CVEs (MEDIUM)
./hack/pin-dependency.sh go.etcd.io/etcd/api/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/client/pkg/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/client/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/pkg/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/server/v3 v3.6.10
./hack/update-vendor.sh

# 4. CSI spec — transitive floor-raise for x/net 0.23+, protobuf 1.33+ (MEDIUM)
./hack/pin-dependency.sh github.com/container-storage-interface/spec v1.12.0
./hack/update-vendor.sh
# → verify: make test pkg/volume/csi/...

# 5. go-openapi/swag — mangler panic fixes in codegen (MEDIUM)
./hack/pin-dependency.sh github.com/go-openapi/swag v0.26.0
# also bump the siblings to avoid MVS conflicts:
./hack/pin-dependency.sh github.com/go-openapi/jsonpointer v0.23.1
./hack/pin-dependency.sh github.com/go-openapi/jsonreference v0.21.5
./hack/pin-dependency.sh github.com/mailru/easyjson v0.9.2
./hack/update-vendor.sh

# 6. moby/term (bundles go-ansiterm OSC fix) (LOW)
./hack/pin-dependency.sh github.com/moby/term v0.5.2
./hack/update-vendor.sh

# Remainder: batch with next routine dep sweep
# golang.org/x/crypto, golang.org/x/sys, golang.org/x/text,
# golang.org/x/tools, golang.org/x/mod, golang.org/x/time,
# golang.org/x/term, golang.org/x/exp, golang.org/x/oauth2,
# google.golang.org/genproto, sirupsen/logrus, golang-jwt,
# pquerna/cachecontrol, Microsoft/hnslib, google/pprof,
# prometheus/procfs, spf13/pflag, stretchr/objx,
# cpuguy83/go-md2man, chai2010/gettext-go, gnostic-models,
# containerd/ttrpc, ishidawataru/sctp, cyphar/go-pathrs,
# container-storage-interface/spec (if not done above),
# go.yaml.in/yaml/v2, go-errors/errors

CVEs Already Patched (verify current vendor is sufficient)

CVE GHSA Package Fixed in Current k8s pin Status
CVE-2025-65637 / GO-2025-4188 GHSA-4f99-4q7p-p3gh github.com/sirupsen/logrus v1.9.1 v1.9.3 ✅ Already fixed
CVE-2025-30204 / GO-2025-3553 GHSA-mh63-6h87-95cp github.com/golang-jwt/jwt/v5 v5.2.2 v5.3.0 ✅ Already fixed
CVE-2025-22868 golang.org/x/oauth2 v0.27.0 v0.35.0 ✅ Already fixed
CVE-2026-33186 (gRPC CRITICAL 9.1) google.golang.org/grpc v1.68.0+ v1.80.0 ✅ Already fixed
CVE-2026-33343 / CVE-2026-33413 GHSA-rfx7-8w68-q57q / GHSA-q8m4-xhhv-38mg go.etcd.io/etcd gRPC auth v3.6.9 v3.6.8 ⚠️ Not exploitable in K8s (apiserver controls auth) — but upgrade recommended for data correctness fixes

Analysis by 5 parallel agents. All reachability claims verified against k/k source grep. Sources: GitHub compare diffs, pkg.go.dev/vuln, GitHub Security Advisories, upstream CVE disclosures.

Raw
2026-04-23-dep-security-v2-prompt.md

Prompt: Kubernetes Dependency Security Analysis

Use this prompt verbatim to generate a security analysis of the current Kubernetes dependency version gaps. Feed it to a capable model (Claude Opus or equivalent) with web access and filesystem access to the kubernetes/kubernetes source tree.

Prompt

You are a Kubernetes security engineer. Your task is to produce a deep, prioritized security analysis of Kubernetes dependency version gaps. Start by fetching the live package list from the Prow CI job, then analyze each package.

Step 0 — Fetch the current package list

  1. Fetch the job history page to find the most recent successful run:

    https://prow.k8s.io/job-history/gs/kubernetes-ci-logs/logs/ci-kubernetes-e2e-kind-dependencies

    Find the first entry with status SUCCESS and extract its job ID from the URL (a large integer, e.g. 2047409810214752256).

  2. Fetch the differences file directly:

    https://storage.googleapis.com/kubernetes-ci-logs/logs/ci-kubernetes-e2e-kind-dependencies/{JOB_ID}/artifacts/differences.md

  3. Parse the table in that file:

    • Skip any row where the first non-whitespace character is ~ — those packages are already at latest and need no analysis.
    • The remaining rows are the packages with version gaps. Each row has: Package | Current | Latest | URL
    • The URL column already contains the GitHub compare URL for each package. Use those directly.

  4. That parsed list is your complete package table. Count the packages and proceed.

Step 1 — Analyze each package

For every package in the list:

  1. Fetch the compare URL from the table. Read the full commit list and changed files. Look specifically for:

    • Commit messages mentioning CVE, security, panic, overflow, DoS, bypass, injection, race, crash, nil deref, OOB, escape, or auth
    • Changes to parsing, serialization, cryptographic, authentication, or network code
    • Changes to error-handling paths that previously panicked
    • Dependency bumps inside the package's own go.mod (transitive CVE fixes)

  2. Check the Go Vulnerability Database at https://pkg.go.dev/vuln/list and https://osv.dev for advisories covering the package in the version range. Also search https://github.com/advisories?query= for GHSA entries.

  3. Check NVD at https://nvd.nist.gov/vuln/search for CVEs mentioning the package.

  4. Determine Kubernetes-specific reachability. For each security-relevant change, answer:

    • Is this package a direct or indirect dep in the k8s go.mod?
    • Which k8s binary uses it: kube-apiserver, kubelet, kube-controller-manager, kube-proxy, kubectl, kubeadm, or only test code?
    • Is the vulnerable/fixed code path reachable from untrusted external input (unauthenticated network, authenticated API request body, pod stdout, etc.) or only from trusted/privileged input?
    • What is the blast radius if exploited?

    Key k8s source locations to grep for reachability:

    • staging/src/k8s.io/apimachinery/ — core API types and serialization
    • staging/src/k8s.io/apiserver/ — kube-apiserver logic
    • staging/src/k8s.io/client-go/ — client library
    • pkg/ — kubelet, controllers, scheduler
    • cmd/ — binary entrypoints
    • test/ — test-only code (not shipped in production binaries)
    • vendor/ — check vendor/modules.txt for direct vs indirect

  5. Assign a priority:

    • CRITICAL — actively exploited or trivially exploitable without authentication, high impact (RCE, auth bypass, data exfiltration)
    • HIGH — remotely exploitable by an authenticated user OR exploitable by a lower-privilege actor; significant impact (DoS of core component, data integrity compromise)
    • MEDIUM — security-relevant fix but not directly exploitable in standard k8s deployments (e.g., not exploitable because k8s does not use etcd's built-in auth, or fix is in transitive dep k8s already pins), OR correctness fix that affects data integrity on the kube-apiserver storage path
    • LOW — defense-in-depth hardening, fix is in test-only code path, or Windows-only, or indirect dep where the attack surface is privileged
    • NONE — zero security content; only CI, docs, go directive bumps, or dev tooling changes

Step 2 — Parallelize by risk tier

Group the packages from your fetched list into tiers and analyze them concurrently with parallel agents:

  • Tier 1 (crypto/auth/networking): packages matching x/crypto, x/net, golang-jwt, go-pathrs, cachecontrol, oauth2
  • Tier 2 (storage/infrastructure): packages matching etcd (all modules together), container-storage-interface, ttrpc, sctp
  • Tier 3 (serialization/parsing): packages matching cbor, easyjson, go-openapi, yaml, go-errors
  • Tier 4 (infra/golang stdlib): packages matching grpc-gateway, caddy, genproto, x/sys, x/text, x/tools, x/mod, x/time, x/term, x/exp
  • Tier 5 (lower-risk mixed): everything else

Merge the tier results before writing output.

Step 3 — Produce the output markdown

Produce a single markdown file with this exact structure:

# Kubernetes Dependency Security Analysis
**Date:** <today>
**Prow job:** <job URL used>
**Packages analyzed:** <count of non-~ rows>
**Method:** GitHub diff inspection, [Go Vulnerability Database](https://pkg.go.dev/vuln/list), CVE/GHSA search, K8s source grep for reachability

---

## Executive Summary

<2-3 sentence summary: how many packages need action, how many have no delta, any already-patched CVEs to call out>

---

## Priority 1 — UPGRADE PROMPTLY
<All HIGH/CRITICAL packages, one subsection each>

### [`package/name`](compare-url) vX.Y.Z → vA.B.C
**CVE:** [CVE-XXXX-XXXXX](nvd link) [or "None filed"]
**Type:** <short description>
**Fix commit/PR:** [`shortsha`](full commit url) — "commit message"

**What it does:** <1-2 sentences on the vulnerability>

**K8s reachability (<LOW/MEDIUM/HIGH/VERY HIGH>):**
- <bullet per binary or code path that is affected>

**Attack scenario:** <concrete description of how an attacker would trigger this in a k8s cluster>

**Action:** `./hack/pin-dependency.sh <module> <version>` then `./hack/update-vendor.sh`

---

## Priority 2 — MEDIUM (upgrade in next dep sweep)
<All MEDIUM packages, one subsection each>

## Priority 3 — LOW (batch in next routine dep PR)
<All LOW packages, shorter entries>

## Priority 4 — NONE (no action needed)
<Table of all NONE packages with one-line reason>

| Package | Diff | Reason no action needed |
|---|---|---|
| [`pkg`](compare-url) | vX → vY | <one line> |

---

## Action Plan (ordered)
<Shell commands in priority order using hack/pin-dependency.sh>

---

## CVEs Already Patched (verify current vendor is sufficient)
<Table of CVEs that were already fixed before the current vendor pin>

| CVE | GHSA | Package | Fixed in | Current k8s pin | Status |
|---|---|---|---|---|---|

Rules — links

  • Every package name in headers must be a hyperlink to the compare URL from the differences.md table.
  • CVE IDs: Link to https://nvd.nist.gov/vuln/detail/CVE-XXXX-XXXXX only after fetching the page to confirm it exists — very new CVEs may be RESERVED and the NVD page will say "CVE ID Not Found." For RESERVED CVEs, link to the upstream issue tracker (e.g., https://github.com/golang/go/issues/XXXXX) or the GHSA instead.
  • GHSA IDs: Link to https://github.com/advisories/GHSA-XXXX-XXXX-XXXX — fetch to verify before linking.
  • Go vuln IDs (GO-XXXX-XXXX): Link to https://pkg.go.dev/vuln/GO-XXXX-XXXX — fetch to verify.
  • PR links: Link to the full GitHub PR URL. Verify the PR number before linking — do not guess.
  • Commit SHAs: ALWAYS use the full 40-character SHA, not an abbreviation. Fetch the commit URL to verify it exists before including it. Abbreviated or guessed SHAs are wrong more often than not.
  • Vanity compare URLs in the differences.md (e.g., https://cyphar.com/go-pathrs/compare/..., https://go.etcd.io/etcd/.../compare/...) redirect to pkg.go.dev, not GitHub diffs. For these, find the real GitHub repo:
    • cyphar.com/go-pathrshttps://github.com/cyphar/libpathrs/compare/go-pathrs%2Fv<OLD>...go-pathrs%2Fv<NEW>
    • go.etcd.io/etcd/*https://github.com/etcd-io/etcd/compare/<OLD>...<NEW> (one compare covers all etcd sub-modules)
    • For any other vanity domain, do go get -v <module> or check the go-import meta tag to find the canonical GitHub repo.
  • go.yaml.in/yaml/v2: The github.com/go-yaml/yaml repo may not have newer v2.4.x tags; if the compare 404s, link to https://pkg.go.dev/go.yaml.in/yaml/v2?tab=versions instead.
  • OSS-Fuzz URLs (https://issues.oss-fuzz.com/issues/XXXXXX) are login-gated. Include when you have the real ID; note they require Google login.
  • Packages with no security content (CI only, go directive bumps, doc fixes) go in the Priority 4 table — do not give them a full subsection.
  • Verify k8s reachability by grepping — do not assume a package is used in production just because it appears in go.mod. Check vendor/modules.txt for direct vs indirect. Check whether imports are in test/ vs pkg//cmd//staging/.
  • When a CVE is already fixed in the current k8s vendor pin, call it out in "CVEs Already Patched" — do not list it as something that needs upgrading.
  • For etcd CVEs: check whether the upstream advisory says "Kubernetes not affected" (etcd maintainers do this when the CVE requires etcd's built-in RBAC/auth, which k8s bypasses). If so, note it but still recommend upgrading for any data-correctness or linearizability fixes in the same release.

Reference: Sample output

The reference output from the 2026-04-23 run (Prow job 2047409810214752256) is at: https://gist.github.com/dims/e7e55d375149d0c3b4d38f85c8cea172

Key findings from that run (use as a sanity check for your methodology):

  • HIGH: golang.org/x/net v0.52→v0.53 — CVE-2026-33814 (golang/go#78476) HTTP/2 Transport hang; fix commit 1e71bd86e4a302b4e731bc06da6eb51679c7bd49
  • HIGH: fxamacker/cbor/v2 v2.9.0→v2.9.1 — CBOR tag-1 epoch float overflow; PRs #750, #753, #757
  • MEDIUM: etcd v3.6.8→v3.6.10 — CVE-2026-33343 / CVE-2026-33413 not exploitable in k8s but linearizability/watch bugs are real
  • MEDIUM: container-storage-interface/spec v1.9→v1.12 — transitive floor-raise (x/net 0.23+, protobuf 1.33+)
  • MEDIUM: go-openapi/swag v0.23→v0.26 — mangler panics; swag commits c65e58864fa8ec20d6c54cf84df8073f069a5d4a and 2bf1ed668be1fc1e8c8625071e5912251da2165b
  • NONE/already patched: logrus CVE-2025-65637, golang-jwt CVE-2025-30204, oauth2 CVE-2025-22868, grpc CVE-2026-33186
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment