CVE-2026-34992 Overview
CVE-2026-34992 is a missing encryption vulnerability in Antrea, a Kubernetes networking solution. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled (trafficEncryptionMode: ipsec), Antrea fails to apply encryption for IPv6 Pod traffic. While IPv4 traffic is correctly encrypted via ESP (Encapsulating Security Payload), traffic using IPv6 is transmitted in plaintext. This occurs because IPv6 packets are encapsulated using Geneve or VXLAN but bypass the IPsec encryption layer entirely.
Critical Impact
Inter-Node Pod traffic using IPv6 in dual-stack Kubernetes clusters with IPsec encryption enabled is transmitted unencrypted, exposing sensitive data to potential interception by adjacent network attackers.
Affected Products
- Antrea versions prior to 2.4.5
- Antrea versions prior to 2.5.2
- Dual-stack Kubernetes clusters with IPsec encryption enabled
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-34992 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34992
Vulnerability Analysis
This vulnerability (CWE-311: Missing Encryption of Sensitive Data) affects the traffic encryption implementation in Antrea's network overlay. The root issue lies in how Antrea handles IPsec configuration for dual-stack (IPv4/IPv6) deployments. When administrators enable IPsec encryption via the trafficEncryptionMode: ipsec configuration, Antrea correctly establishes IPsec Security Associations (SAs) and encrypts IPv4 inter-Node Pod traffic using ESP. However, the IPv6 traffic path fails to utilize these encryption mechanisms.
The adjacent network attack vector means an attacker with access to the network segment between Kubernetes nodes can passively capture unencrypted IPv6 Pod traffic. This could expose sensitive application data, credentials, API tokens, or other confidential information transmitted between Pods on different nodes.
Root Cause
The vulnerability stems from an implementation gap in Antrea's traffic encryption handling for dual-stack networking configurations. When traffic is encapsulated using Geneve or VXLAN tunnels for inter-Node communication, the IPv6 packets bypass the IPsec encryption layer that is correctly applied to IPv4 traffic. This indicates a missing or incomplete code path for applying IPsec encryption specifically to IPv6 encapsulated traffic.
Attack Vector
An attacker positioned on the adjacent network (same Layer 2 segment or with access to network infrastructure between Kubernetes nodes) can intercept IPv6 Pod traffic in plaintext. The attack requires no authentication or user interaction, making passive eavesdropping straightforward for an attacker with appropriate network positioning.
The exploitation scenario involves:
- Attacker gains access to the network segment between Kubernetes nodes (data center network, cloud VPC, or overlay network infrastructure)
- Attacker deploys packet capture tools to monitor inter-Node traffic
- IPv6 Pod-to-Pod communications traversing nodes are captured in plaintext
- Sensitive data, credentials, or application traffic is extracted from captured packets
No code example is provided as the vulnerability is a configuration and implementation gap rather than an exploitable code path. For technical details on the fix, refer to the GitHub Security Advisory GHSA-qcmw-8mm4-4p28 and related pull requests #7757 and #7759.
Detection Methods for CVE-2026-34992
Indicators of Compromise
- Unencrypted IPv6 traffic observed between Kubernetes nodes on Geneve or VXLAN tunnel ports
- Packet captures showing plaintext IPv6 Pod traffic while IPv4 traffic is ESP-encrypted
- Network monitoring alerts for unencrypted traffic on expected-encrypted inter-Node communication paths
Detection Strategies
- Deploy network traffic analysis tools to inspect inter-Node traffic and verify encryption status for both IPv4 and IPv6
- Use tcpdump or Wireshark on node interfaces to capture tunnel traffic and verify ESP encapsulation is applied to IPv6 packets
- Implement Kubernetes network policy auditing to detect potential data exposure from unencrypted channels
- Monitor for anomalous traffic patterns indicating possible passive interception attempts
Monitoring Recommendations
- Enable logging of IPsec SA establishment and verify SAs exist for both IPv4 and IPv6 traffic
- Implement network intrusion detection systems (IDS) to alert on plaintext sensitive data traversing inter-Node links
- Audit Antrea controller logs for any warnings related to IPsec or encryption configuration issues
- Regularly verify traffic encryption status using the Antrea Traffic Encryption Guide
How to Mitigate CVE-2026-34992
Immediate Actions Required
- Upgrade Antrea to version 2.4.5 or 2.5.2 immediately if running dual-stack clusters with IPsec encryption
- Verify your cluster configuration to determine if dual-stack networking with IPsec is enabled
- Conduct a risk assessment to identify potential data exposure during the vulnerable window
- Review network access controls to restrict adjacent network access to authorized personnel only
Patch Information
This vulnerability is fixed in Antrea versions 2.4.5 and 2.5.2. The fix is implemented in commit 738bad662. Users should upgrade to the patched versions through their standard Kubernetes deployment processes. For upgrade guidance, refer to the GitHub Security Advisory GHSA-qcmw-8mm4-4p28.
Workarounds
- Temporarily disable dual-stack networking and operate in single-stack IPv4 mode until upgrade is possible
- Implement network segmentation to isolate inter-Node traffic from potential attackers
- Deploy additional network-layer encryption such as WireGuard or a service mesh with mTLS to protect IPv6 traffic
- Restrict physical and logical network access to infrastructure carrying inter-Node Kubernetes traffic
# Verify Antrea version and encryption configuration
kubectl get pods -n kube-system -l app=antrea -o jsonpath='{.items[0].spec.containers[0].image}'
kubectl get configmap -n kube-system antrea-config -o yaml | grep trafficEncryptionMode
# Check for dual-stack configuration
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDRs}'
# Upgrade Antrea to patched version (example using kubectl)
kubectl apply -f https://github.com/antrea-io/antrea/releases/download/v2.5.2/antrea.yml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
