# Kubernetes Dependency Security Analysis
**Date:** 2026-04-23  
**Packages analyzed:** 43  
**Method:** GitHub diff inspection, [Go Vulnerability Database](https://pkg.go.dev/vuln/list), CVE/GHSA search, K8s source grep for reachability  

---

## Executive Summary

Of 43 packages with version gaps, **2 require prompt action** (live CVE or directly reachable hardening fix), **3 are medium priority** (correctness/transitive security value), and the remainder are routine hygiene with no meaningful security delta. Two packages had known CVEs that are **already patched** in the currently pinned version.

---

## Priority 1 — UPGRADE PROMPTLY

### [`golang.org/x/net`](https://github.com/golang/net/compare/v0.52.0...v0.53.0) v0.52.0 → v0.53.0

**CVE:** CVE-2026-33814 (RESERVED — not yet in NVD; tracked at [golang/go#78476](https://github.com/golang/go/issues/78476))  
**Type:** Remote DoS — HTTP/2 Transport hang  
**Fix commit:** [`1e71bd86`](https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49) — "http2: prevent hanging Transport due to bad SETTINGS frame"

**What it does:** A peer that returns an HTTP/2 SETTINGS frame with `MaxFrameSize=0` causes the Transport's `writeFrames` loop to hang indefinitely. This is a client-side hang — not a crash — but it ties up goroutines and connections permanently.

**K8s reachability (VERY HIGH):**
- `kube-apiserver` HTTP/2 client paths: OIDC issuer JWKS fetches, admission webhook calls (MutatingAdmissionWebhook, ValidatingAdmissionWebhook), authentication/authorization webhook calls, aggregated API server proxying
- `kubelet` → image registry (OCI registry over HTTP/2)
- All `client-go` list/watch connections

**Attack scenario:** A malicious or misconfigured OIDC IdP, admission webhook, or aggregated API server responds with a SETTINGS frame containing `MaxFrameSize=0`, hanging the apiserver's connection to it indefinitely. Repeated exploits accumulate hung goroutines → memory pressure / slow DoS.

**Secondary fix in this release:** QUIC server panic on Retry packets with short connection IDs ([golang/go#78292](https://github.com/golang/go/issues/78292)) — not applicable (k8s does not use QUIC/HTTP3) — not applicable (k8s does not use QUIC/HTTP3).

**Action:** `./hack/pin-dependency.sh golang.org/x/net v0.53.0` then `./hack/update-vendor.sh`

---

### [`github.com/fxamacker/cbor/v2`](https://github.com/fxamacker/cbor/compare/v2.9.0...v2.9.1) v2.9.0 → v2.9.1

**CVE:** None filed yet — but the PR descriptions are explicit about security-motivated hardening  
**Type:** Parser hardening for the kube-apiserver CBOR deserializer

**What changed ([PR #750](https://github.com/fxamacker/cbor/pull/750), [PR #753](https://github.com/fxamacker/cbor/pull/753), [PR #757](https://github.com/fxamacker/cbor/pull/757)):**

| Fix | What it prevents |
|---|---|
| Tag-1 epoch float overflow bounds check | Sending `CBOR tag(1) float(1e308)` into any `time.Time` field overflows `int64` seconds — now rejected with bounds error |
| RawMessage.MarshalCBOR returns clone | Prevents external mutation of internal `cborNil` slice state |
| keyasint: reject integer keys > MaxInt64 | Prevents integer overflow in struct-field matching |
| keyasint: string `"1"` no longer matches `cbor:"1,keyasint"` | Eliminates type-confusion between string and integer keys |

**K8s reachability (HIGH):**
`kube-apiserver` sets `DecTagOptional` and `IndefLengthAllowed` on its CBOR decoder (`staging/src/k8s.io/apimachinery/pkg/runtime/serializer/cbor/internal/modes/decode.go`). This means:
- An authenticated client can send `Content-Type: application/cbor` with a CBOR tag-1 extreme-float value in `metav1.Time` fields (e.g., `objectMeta.creationTimestamp`, `managedFields[].time`) → triggers the overflow path fixed by [PR #753](https://github.com/fxamacker/cbor/pull/753)

The `keyasint` fixes are not reachable (no k8s Go type uses `cbor:"...,keyasint"` tags), but the time-tag overflow is live.

**Action:** `./hack/pin-dependency.sh github.com/fxamacker/cbor/v2 v2.9.1` then `./hack/update-vendor.sh`

---

## Priority 2 — MEDIUM (upgrade in next dep sweep)

### [`go.etcd.io/etcd/{api,client/pkg,client,pkg,server}/v3`](https://github.com/etcd-io/etcd/compare/v3.6.8...v3.6.10) v3.6.8 → v3.6.10

**CVEs (published 2026-03-20):**

| CVE | GHSA | Description | K8s exploitable? |
|---|---|---|---|
| [CVE-2026-33343](https://nvd.nist.gov/vuln/detail/CVE-2026-33343) | [GHSA-rfx7-8w68-q57q](https://github.com/advisories/GHSA-rfx7-8w68-q57q) | Nested Txn bypasses RBAC (read/write any key) | **No** — K8s does not use etcd's auth; apiserver handles auth |
| [CVE-2026-33413](https://nvd.nist.gov/vuln/detail/CVE-2026-33413) | [GHSA-q8m4-xhhv-38mg](https://github.com/advisories/GHSA-q8m4-xhhv-38mg) | MemberList/Alarm/Lease/Compact accessible without auth | **No** — same reason; but Compact DoS matters if etcd port is exposed |

**Why still upgrade:**
1. **Read-index race fix** ([PR #21378](https://github.com/etcd-io/etcd/pull/21378)) — race between read index and leader change can cause stale reads → apiserver list/watch inconsistency
2. **Stale-read fix from process pause** ([PR #21417](https://github.com/etcd-io/etcd/pull/21417)) — linearizability regression, affects kube-apiserver
3. **Watch correctness fix** ([PR #21443](https://github.com/etcd-io/etcd/pull/21443)) — revert of event-reuse between sync loops → incorrect watch events
4. **Transitive grpc fix** — etcd v3.6.9 bumped grpc to 1.79.3 ([CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186), CRITICAL 9.1 — but k8s's own grpc pin already has this)
5. **Transitive x/net fix** — [GO-2026-4559](https://pkg.go.dev/vuln/GO-2026-4559), etcd v3.6.9 bumped x/net to 0.51+ (k8s's own x/net upgrade above covers this)

**Action:** Bump all 5 etcd modules together to v3.6.10.

---

### [`github.com/container-storage-interface/spec`](https://github.com/container-storage-interface/spec/compare/v1.9.0...v1.12.0) v1.9.0 → v1.12.0

**CVEs:** None direct  
**Why upgrade:** The jump from v1.9.0 raises transitive dependency floors:

| Dep inside CSI spec | v1.9.0 | v1.10.0+ | Security relevance |
|---|---|---|---|
| `golang.org/x/net` | 0.10.0 | 0.23.0 | Pre-[CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) (HTTP/2 Rapid Reset) → post-fix |
| `google.golang.org/protobuf` | 1.32.0 | 1.33.0 | [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) (protojson infinite loop) |
| `google.golang.org/grpc` | 1.57.0 | 1.57.1 | [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487) mitigation |

**Functional additions:** SnapshotMetadata service (alpha, v1.10), VolumeGroupSnapshot GA (v1.11), ControllerModifyVolume GA (v1.12), GetSnapshot (alpha, v1.12). See [releases](https://github.com/container-storage-interface/spec/releases).

**Watch for:** v1.10.0 is a breaking rebuild (protoc-gen-go struct layout change). Ensure no hand-written code depends on old struct layout in `pkg/volume/csi/`.

**Action:** Bump to v1.12.0. Run `make test` on the CSI-consuming kubelet volume path after vendor update.

---

### [`github.com/go-openapi/swag`](https://github.com/go-openapi/swag/compare/v0.23.0...v0.26.0) v0.23.0 → v0.26.0

**CVEs:** None filed  
**Type:** Panic fixes in name-mangler (supply-chain/tooling concern)

**Real panic fixes:**
- v0.25.3: `gatherInitialismMatches` panics on inputs like `LinkLocalIPs`, `NativeBaseURLs`, `SiteURLs` — out-of-bounds array access ([commit c65e5886](https://github.com/go-openapi/swag/commit/c65e58864fa8ec20d6c54cf84df8073f069a5d4a))
- v0.25.4: Overlapping pluralized initialisms (e.g., `TTLss`) trigger panic — OSS-Fuzz reported ([commit 2bf1ed66](https://github.com/go-openapi/swag/commit/2bf1ed668be1fc1e8c8625071e5912251da2165b))

**K8s reachability:** `swag.ToGoName`/`ToVarName` are **not called at kube-apiserver runtime** — only in code-generation tooling (`kube-openapi-gen`, `deepcopy-gen`). But crafted CRD names hitting the generator in CI could panic the codegen pipeline.

**Other notable changes:**
- v0.24.0: Removed default `mailru/easyjson` dependency → cleaner dep graph
- v0.25.1: Fixed data race in jsonutils lexer

**Action:** Bump to v0.26.0. Check import paths — v0.24 split package into submodules (`jsonutils`, `yamlutils`, `mangling`), but the `swag` facade package remains.

---

## Priority 3 — LOW (batch in next routine dep PR)

### [`github.com/moby/term`](https://github.com/moby/term/compare/v0.5.0...v0.5.2) v0.5.0 → v0.5.2 (bundles [`github.com/Azure/go-ansiterm`](https://github.com/Azure/go-ansiterm/compare/306776ec8161...faa5f7b0171c) → `faa5f7b0171c`)

**What changed:** OSC string terminator parsing fix ([PR #35](https://github.com/Azure/go-ansiterm/pull/35)) — parser previously transitioned to ground state on any `0x5C` (`\`) byte inside an OSC string, leaking printable content from inside OSC wrappers to the terminal. Fixed to only accept proper ST (String Terminator) sequences.

**K8s surface:** `kubectl exec`, `kubectl attach`, `kubectl run -it` — a pod's stdout could emit crafted OSC escape sequences to the operator's terminal. The fix narrows what leaks. Not exploitable for privilege escalation.

---

### [`golang.org/x/crypto`](https://github.com/golang/crypto/compare/v0.49.0...v0.50.0) v0.49.0 → v0.50.0

**Fixes:** SSH CBC minimum-packet-size floor not enforced ([golang/go#78062](https://github.com/golang/go/issues/78062)); SSH signature algorithm preference ignored in `pickSignatureAlgorithm` ([golang/go#78248](https://github.com/golang/go/issues/78248)).

**K8s surface:** SSH is only used in `test/e2e/framework/ssh/ssh.go` — e2e tests that SSH into GCE/AWS nodes. No production binary links x/crypto/ssh.

---

### [`cyphar.com/go-pathrs`](https://github.com/cyphar/libpathrs/compare/go-pathrs%2Fv0.2.2...go-pathrs%2Fv0.2.4) v0.2.2 → v0.2.4

**What changed:** Additional procfs O_PATH resolver hardening — per-component fstype enforcement, stricter procfs-mount checks on older kernels. Defense against proc-mount overlay/mount-injection tricks (known container-escape pattern).

**K8s surface:** Indirect via `github.com/cyphar/filepath-securejoin`, used in container rootfs path resolution in kubelet. Defense-in-depth; no active CVE.

---

### [`golang.org/x/sys`](https://github.com/golang/sys/compare/v0.42.0...v0.43.0) v0.42.0 → v0.43.0

**What changed (Windows-only):** `GetNamedSecurityInfo` no longer panics (nil deref) when the returned security descriptor is nil. Previous code would crash when the target object has no security descriptor.

**K8s surface:** Windows nodes only. Could affect kubelet inspecting file/named-pipe security descriptors. Not remotely exploitable.

---

### [`github.com/containerd/ttrpc`](https://github.com/containerd/ttrpc/compare/v1.2.7...v1.2.8) v1.2.7 → v1.2.8

**What changed:** Nil-pointer panic fix ([PR #223](https://github.com/containerd/ttrpc/pull/223)) — server crashes (nil deref) when a client sends a stream ID that the server doesn't recognize, racing with stream close. Qualifies as a DoS fix; no CVE filed.

**K8s surface:** Not a direct k8s dependency. Indirect through containerd/cadvisor. ttrpc is an intra-node privileged protocol (containerd ↔ shims over UDS). Not remotely exploitable.

---

### [`github.com/prometheus/procfs`](https://github.com/prometheus/procfs/compare/v0.19.2...v0.20.1) v0.19.2 → v0.20.1

**What changed:** New bcachefs, NVMe namespace, and capabilities parsers; EINVAL handling in class_cooling_device/thermal sysfs readers; transitive x/sys and x/sync bumps.

**K8s surface:** Used in kubelet metrics collection, reading `/proc` and `/sys`. Inputs are kernel-owned. The new parsing code expands surface but practical risk is negligible.

---

### [`github.com/spf13/pflag`](https://github.com/spf13/pflag/compare/v1.0.9...v1.0.10) v1.0.9 → v1.0.10

**Note:** The one non-test code change replaces `errors.Is(err, ErrHelp)` with `err == ErrHelp` (loses wrapped ErrHelp detection — a minor regression for Go 1.12 compat). No security fix.

---

### [`github.com/grpc-ecosystem/grpc-gateway/v2`](https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.28.0...v2.29.0) v2.28.0 → v2.29.0

**What changed:** [PR #6447](https://github.com/grpc-ecosystem/grpc-gateway/pull/6447) adds `WithDisableHTTPMethodOverride()` option — allows server to reject `X-HTTP-Method-Override` header, which can be used to bypass WAF rules (POST + `X-HTTP-Method-Override: DELETE` bypasses a POST-only WAF rule). Default behavior **unchanged** — override still honored.

**K8s surface:** k8s does not import `grpc-gateway/v2/runtime` in any source file (confirmed by grep). This is a purely indirect dep through etcd/otel. No WAF-bypass exposure in kube-apiserver.

---

### [`github.com/coredns/caddy`](https://github.com/coredns/caddy/compare/v1.1.1...v1.1.4) v1.1.1 → v1.1.4

**What changed:** [OSS-Fuzz #446778634](https://issues.oss-fuzz.com/issues/446778634) — `NextBlock()` infinite loop on unclosed Caddyfile block ([PR #10](https://github.com/coredns/caddy/pull/10)); snippet import cycle guard ([PR #8](https://github.com/coredns/caddy/pull/8), [PR #9](https://github.com/coredns/caddy/pull/9)). Parser hardening against malformed Corefiles.

**K8s surface:** Not vendored in k/k (confirmed: absent from k8s go.mod). Relevant for the CoreDNS addon image, not Kubernetes core. Track for the next CoreDNS image refresh.

---

### [`github.com/golang-jwt/jwt/v5`](https://github.com/golang-jwt/jwt/compare/v5.3.0...v5.3.1) v5.3.0 → v5.3.1

**CVE status:** [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GO-2025-3553](https://pkg.go.dev/vuln/GO-2025-3553) / [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp) (ParseUnverified allocation DoS) was fixed in v5.2.2 — **current v5.3.0 is already past it**.

**What changed in v5.3.1:** New `WithNotBeforeRequired` parser option ([PR #456](https://github.com/golang-jwt/jwt/pull/456)); Token.Signature populated after sign ([PR #417](https://github.com/golang-jwt/jwt/pull/417)) and ParseUnverified ([PR #414](https://github.com/golang-jwt/jwt/pull/414)). No vulnerability fixes.

**Optional hardening:** Consider enabling `WithNotBeforeRequired` in client-go's OIDC verifier as a follow-up.

---

### [`go-openapi/jsonpointer`](https://github.com/go-openapi/jsonpointer/compare/v0.21.0...v0.23.1) v0.21.0 → v0.23.1 and [`go-openapi/jsonreference`](https://github.com/go-openapi/jsonreference/compare/v0.20.2...v0.21.5) v0.20.2 → v0.21.5

No CVEs, no panics. jsonpointer v0.23.1 fixes an Offset index calculation bug; fuzz testing added but found no bugs. jsonreference adds fuzz coverage. Both are correctness/hygiene only.

---

### [`github.com/mailru/easyjson`](https://github.com/mailru/easyjson/compare/v0.7.7...v0.9.2) v0.7.7 → v0.9.2

5-year gap but **effectively dead code in k8s**. The easyjson fast-path in `go-openapi/swag` is only invoked if a type implements `MarshalEasyJSON`/`UnmarshalEasyJSON` — no k8s type does. v0.9.1 null-handling fixes ([PR #407](https://github.com/mailru/easyjson/pull/407)) and v0.9.2 NaN/Inf JSON fixes ([PR #421](https://github.com/mailru/easyjson/pull/421)) cannot be triggered from any k8s API path.

---

## Priority 4 — NONE (no action needed)

| Package | Diff | Reason no action needed |
|---|---|---|
| [`go.yaml.in/yaml/v2`](https://pkg.go.dev/go.yaml.in/yaml/v2?tab=versions) | v2.4.3 → v2.4.4 | Single commit: replaces test harness (gopkg.in/check.v1 → stdlib). Zero production code change. |
| [`golang.org/x/text`](https://github.com/golang/text/compare/v0.35.0...v0.36.0) | v0.35.0 → v0.36.0 | Zero code change — only go.mod dep bump. All historical CVEs ([CVE-2022-32149](https://nvd.nist.gov/vuln/detail/CVE-2022-32149), [CVE-2021-38561](https://nvd.nist.gov/vuln/detail/CVE-2021-38561)) fixed pre-0.3.8. |
| [`golang.org/x/tools`](https://github.com/golang/tools/compare/v0.42.0...v0.44.0) | v0.42.0 → v0.44.0 | Dev tooling (gopls/analyzers) only. Multiple panic fixes but all in developer tooling, none in k8s runtime binaries. |
| [`golang.org/x/mod`](https://github.com/golang/mod/compare/v0.33.0...v0.35.0) | v0.33.0 → v0.35.0 | go.mod go-directive bump only. No code changes. |
| [`golang.org/x/time`](https://github.com/golang/time/compare/v0.14.0...v0.15.0) | v0.14.0 → v0.15.0 | go-directive bump. No changes to `rate/` package. |
| [`golang.org/x/term`](https://github.com/golang/term/compare/v0.41.0...v0.42.0) | v0.41.0 → v0.42.0 | go.mod dep bump only. No code changes. |
| [`golang.org/x/exp`](https://github.com/golang/exp/compare/944ab1f22d93...746e56fc9e2f) | 944ab1f → 746e56fc | go-directive bump + deprecated `reflect.StringHeader` removal. No behavioral changes in packages k8s uses. |
| [`golang.org/x/oauth2`](https://github.com/golang/oauth2/compare/v0.35.0...v0.36.0) | v0.35.0 → v0.36.0 | go-directive bump only. `CredentialsFromJSON` hardening already landed in v0.35.0 (current). [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) fixed pre-v0.27.0. |
| [`google.golang.org/genproto/googleapis/{api,rpc}`](https://github.com/googleapis/go-genproto/compare/9d38bb4040a9...e10c466a9529) | commits | Auto-regenerated proto stubs. No k8s-referenced fields changed. |
| [`github.com/sirupsen/logrus`](https://github.com/sirupsen/logrus/compare/v1.9.3...v1.9.4) | v1.9.3 → v1.9.4 | [CVE-2025-65637](https://nvd.nist.gov/vuln/detail/CVE-2025-65637) / [GO-2025-4188](https://pkg.go.dev/vuln/GO-2025-4188) / [GHSA-4f99-4q7p-p3gh](https://github.com/advisories/GHSA-4f99-4q7p-p3gh) already fixed in v1.9.3 (current). v1.9.4 is pure maintenance. |
| [`github.com/pquerna/cachecontrol`](https://github.com/pquerna/cachecontrol/compare/v0.1.0...v0.2.0) | v0.1.0 → v0.2.0 | Adds `stale-if-error` directive parsing. go-oidc (the caller) never reads the new field. No security delta. |
| [`github.com/Microsoft/hnslib`](https://github.com/Microsoft/hnslib/compare/v0.1.2...v0.1.3) | v0.1.2 → v0.1.3 | Adds exported error constants and tests. No logic changes. Windows-only, zero Linux impact. |
| [`github.com/google/pprof`](https://github.com/google/pprof/compare/294ebfa9ad83...545e8a4df936) | 294ebfa → 545e8a4 | 6 commits, **all GitHub Actions workflow bumps**. Zero library code changed. |
| [`github.com/stretchr/objx`](https://github.com/stretchr/objx/compare/v0.5.2...v0.5.3) | v0.5.2 → v0.5.3 | Test-only library. All changes in test code, CI, and go.mod. Not linked into any production binary. |
| [`github.com/cpuguy83/go-md2man/v2`](https://github.com/cpuguy83/go-md2man/compare/v2.0.6...v2.0.7) | v2.0.6 → v2.0.7 | Build-time man-page generation only. Table rendering fix. Not shipped in any runtime binary. |
| [`github.com/chai2010/gettext-go`](https://github.com/chai2010/gettext-go/compare/v1.0.2...v1.0.3) | v1.0.2 → v1.0.3 | CR round-trip and plural-form correctness. Static translation catalogs — not attacker-controlled. |
| [`github.com/google/gnostic-models`](https://github.com/google/gnostic-models/compare/v0.7.0...v0.7.1) | v0.7.0 → v0.7.1 | Proto `go_package` option changed to absolute paths. No generated Go code changes semantically. |
| [`github.com/go-errors/errors`](https://github.com/go-errors/errors/compare/v1.4.2...v1.5.1) | v1.4.2 → v1.5.1 | Adds `Join`/`Unwrap` stdlib parity helpers. Pure error-wrapping library, no attack surface. |

---

## Action Plan (ordered)

```
# 1. golang.org/x/net — CVE-2026-33814 HTTP/2 DoS (HIGH)
./hack/pin-dependency.sh golang.org/x/net v0.53.0
./hack/update-vendor.sh

# 2. fxamacker/cbor — time-tag overflow hardening (HIGH)
./hack/pin-dependency.sh github.com/fxamacker/cbor/v2 v2.9.1
./hack/update-vendor.sh

# 3. etcd — linearizability fixes + transitive CVEs (MEDIUM)
./hack/pin-dependency.sh go.etcd.io/etcd/api/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/client/pkg/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/client/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/pkg/v3 v3.6.10
./hack/pin-dependency.sh go.etcd.io/etcd/server/v3 v3.6.10
./hack/update-vendor.sh

# 4. CSI spec — transitive floor-raise for x/net 0.23+, protobuf 1.33+ (MEDIUM)
./hack/pin-dependency.sh github.com/container-storage-interface/spec v1.12.0
./hack/update-vendor.sh
# → verify: make test pkg/volume/csi/...

# 5. go-openapi/swag — mangler panic fixes in codegen (MEDIUM)
./hack/pin-dependency.sh github.com/go-openapi/swag v0.26.0
# also bump the siblings to avoid MVS conflicts:
./hack/pin-dependency.sh github.com/go-openapi/jsonpointer v0.23.1
./hack/pin-dependency.sh github.com/go-openapi/jsonreference v0.21.5
./hack/pin-dependency.sh github.com/mailru/easyjson v0.9.2
./hack/update-vendor.sh

# 6. moby/term (bundles go-ansiterm OSC fix) (LOW)
./hack/pin-dependency.sh github.com/moby/term v0.5.2
./hack/update-vendor.sh

# Remainder: batch with next routine dep sweep
# golang.org/x/crypto, golang.org/x/sys, golang.org/x/text,
# golang.org/x/tools, golang.org/x/mod, golang.org/x/time,
# golang.org/x/term, golang.org/x/exp, golang.org/x/oauth2,
# google.golang.org/genproto, sirupsen/logrus, golang-jwt,
# pquerna/cachecontrol, Microsoft/hnslib, google/pprof,
# prometheus/procfs, spf13/pflag, stretchr/objx,
# cpuguy83/go-md2man, chai2010/gettext-go, gnostic-models,
# containerd/ttrpc, ishidawataru/sctp, cyphar/go-pathrs,
# container-storage-interface/spec (if not done above),
# go.yaml.in/yaml/v2, go-errors/errors
```

---

## CVEs Already Patched (verify current vendor is sufficient)

| CVE | GHSA | Package | Fixed in | Current k8s pin | Status |
|---|---|---|---|---|---|
| [CVE-2025-65637](https://nvd.nist.gov/vuln/detail/CVE-2025-65637) / [GO-2025-4188](https://pkg.go.dev/vuln/GO-2025-4188) | [GHSA-4f99-4q7p-p3gh](https://github.com/advisories/GHSA-4f99-4q7p-p3gh) | `github.com/sirupsen/logrus` | v1.9.1 | v1.9.3 | ✅ Already fixed |
| [CVE-2025-30204](https://nvd.nist.gov/vuln/detail/CVE-2025-30204) / [GO-2025-3553](https://pkg.go.dev/vuln/GO-2025-3553) | [GHSA-mh63-6h87-95cp](https://github.com/advisories/GHSA-mh63-6h87-95cp) | `github.com/golang-jwt/jwt/v5` | v5.2.2 | v5.3.0 | ✅ Already fixed |
| [CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) | — | `golang.org/x/oauth2` | v0.27.0 | v0.35.0 | ✅ Already fixed |
| [CVE-2026-33186](https://nvd.nist.gov/vuln/detail/CVE-2026-33186) (gRPC CRITICAL 9.1) | — | `google.golang.org/grpc` | v1.68.0+ | v1.80.0 | ✅ Already fixed |
| [CVE-2026-33343](https://nvd.nist.gov/vuln/detail/CVE-2026-33343) / [CVE-2026-33413](https://nvd.nist.gov/vuln/detail/CVE-2026-33413) | [GHSA-rfx7-8w68-q57q](https://github.com/advisories/GHSA-rfx7-8w68-q57q) / [GHSA-q8m4-xhhv-38mg](https://github.com/advisories/GHSA-q8m4-xhhv-38mg) | `go.etcd.io/etcd` gRPC auth | v3.6.9 | v3.6.8 | ⚠️ Not exploitable in K8s (apiserver controls auth) — but upgrade recommended for data correctness fixes |

---

*Analysis by 5 parallel agents. All reachability claims verified against k/k source grep. Sources: GitHub compare diffs, [pkg.go.dev/vuln](https://pkg.go.dev/vuln/list), GitHub Security Advisories, upstream CVE disclosures.*