Main Vulnerability Database SB2022031048

SB2022031048 - Uncontrolled Recursion in Istio

Published: March 10, 2022 Updated: April 20, 2026

Security Bulletin ID SB2022031048

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Uncontrolled Recursion (CVE-ID: CVE-2022-24726)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack exhaustion in the istiod control plane when processing specially crafted or oversized messages sent to the Kubernetes validating or mutating webhook service. A remote attacker can send a specially crafted or oversized message to cause a denial of service.

Exploitation is possible when the webhook service is exposed publicly on TLS port 15017.

Remediation

Install update from vendor's website.

References

https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g
https://github.com/advisories/GHSA-8w5h-qr4r-2h6g