CVE-2026-24514 Overview
A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory.
Critical Impact
Attackers can exploit this memory exhaustion vulnerability to disrupt Kubernetes cluster operations by crashing the ingress-nginx controller pod or causing node-level resource exhaustion.
Affected Products
- Kubernetes ingress-nginx with validating admission controller enabled
- Kubernetes clusters utilizing ingress-nginx admission webhooks
Discovery Timeline
- 2026-02-03 - CVE-2026-24514 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-24514
Vulnerability Analysis
This vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The ingress-nginx validating admission controller does not properly limit the size of incoming admission requests, allowing attackers to submit excessively large payloads. When processing these oversized requests, the controller allocates memory proportional to the request size without enforcing upper bounds.
The network-accessible nature of Kubernetes admission controllers makes this vulnerability exploitable by any authenticated user who can submit resources that trigger admission validation. Since the vulnerability targets a core Kubernetes networking component, successful exploitation can cascade into broader cluster instability.
Root Cause
The root cause stems from insufficient resource allocation controls within the ingress-nginx validating admission controller. When admission requests arrive, the controller processes and stores the entire request payload in memory without implementing size limits or throttling mechanisms. This allows an attacker to craft requests that consume excessive memory resources, eventually exhausting available memory on the ingress-nginx controller pod or potentially the underlying node.
Attack Vector
The attack is conducted over the network and requires low-privilege authenticated access to the Kubernetes cluster. An attacker with the ability to create or modify Ingress resources can submit specially crafted large admission requests to the validating admission controller. The controller attempts to process these requests in full, leading to memory exhaustion.
The attack flow involves:
- Attacker identifies a Kubernetes cluster running ingress-nginx with the validating admission controller enabled
- Attacker crafts admission requests with excessively large payloads
- Requests are submitted to the admission webhook endpoint
- The controller allocates memory to process each request without bounds checking
- Repeated requests or sufficiently large single requests cause memory exhaustion
- The ingress-nginx controller pod is OOM-killed or the node experiences memory pressure
For technical details on the vulnerability mechanism, see the GitHub Issue Discussion.
Detection Methods for CVE-2026-24514
Indicators of Compromise
- Unusually large admission webhook requests to the ingress-nginx controller
- Repeated OOMKilled events for ingress-nginx controller pods
- Rapid memory consumption spikes in ingress-nginx containers
- Node-level memory pressure alerts correlated with ingress-nginx activity
Detection Strategies
- Monitor Kubernetes events for OOMKilled status on ingress-nginx controller pods using kubectl get events --field-selector reason=OOMKilled
- Implement admission webhook request size monitoring at the API server level
- Set up alerts for memory usage thresholds on ingress-nginx pods exceeding normal operational baselines
- Review audit logs for unusual patterns of Ingress resource creation or modification
Monitoring Recommendations
- Configure Prometheus alerts for ingress-nginx container memory usage approaching resource limits
- Enable Kubernetes audit logging to capture admission request metadata and sizes
- Implement network traffic analysis to detect abnormally large payloads to admission webhook endpoints
- Set up cluster-wide monitoring for memory pressure conditions on nodes running ingress-nginx
How to Mitigate CVE-2026-24514
Immediate Actions Required
- Review and apply any available patches or updates from the ingress-nginx project
- Implement Kubernetes ResourceQuota and LimitRange policies to constrain ingress-nginx pod resource consumption
- Consider temporarily disabling the validating admission controller if not strictly required
- Restrict network access to the admission webhook endpoint using NetworkPolicies
Patch Information
Consult the GitHub Issue Discussion for the latest information on available patches and recommended versions. Apply updates to ingress-nginx as soon as patches addressing this memory exhaustion vulnerability are released.
Workarounds
- Implement LimitRange and ResourceQuota in the namespace where ingress-nginx runs to limit maximum memory consumption
- Configure admission webhook timeouts to prevent long-running requests from accumulating
- Use NetworkPolicies to restrict which pods and services can communicate with the admission controller
- Enable pod disruption budgets to ensure controller availability during potential attack scenarios
# Configuration example - Apply resource limits to ingress-nginx namespace
kubectl apply -f - <<EOF
apiVersion: v1
kind: LimitRange
metadata:
name: ingress-nginx-limits
namespace: ingress-nginx
spec:
limits:
- default:
memory: "512Mi"
defaultRequest:
memory: "256Mi"
max:
memory: "1Gi"
type: Container
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
