Uncontrolled Recursion in Istio - CVE-2022-24726
Published: March 10, 2022 / Updated: April 20, 2026
Vulnerability identifier: #VU126611
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24726
CWE-ID: CWE-674
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Istio
Istio
Software vendor:
Istio
Istio
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to stack exhaustion in the istiod control plane when processing specially crafted or oversized messages sent to the Kubernetes validating or mutating webhook service. A remote attacker can send a specially crafted or oversized message to cause a denial of service.
Exploitation is possible when the webhook service is exposed publicly on TLS port 15017.
Remediation
Install security update from vendor's website.