Kyverno Security Flaw CVE-2026-32282: Linux Symlink Race Condition Bypasses Root Directory Restriction
A critical vulnerability in Kyverno, tracked as CVE-2026-32282, exposes a race condition that can allow a malicious symlink to bypass the tool's root directory security boundary. The flaw resides in the `Root.Chmod` function, which is designed to prevent operations on files outside a specified root directory. However, on Linux systems, if the target file is replaced with a symlink *after* the initial security check but *before* the `chmod` operation executes, the system call can follow the symlink and modify permissions on a file located outside the intended root. This occurs because the Linux `fchmodat` syscall silently ignores the `AT_SYMLINK_NOFOLLOW` flag that `Root.Chmod` relies on to block symlink traversal.
The vulnerability's impact is technically limited to a narrow timing window—the symlink must be swapped in between the check and the operation—but it represents a fundamental failure in the security model for a critical system function. This Time-of-Check to Time-of-Use (TOCTOU) flaw affects multiple active branches of the Kyverno project, including `release-1.17`, `release-1.16`, and the `main` development branch. The issue was identified and logged via GitHub's code scanning (CodeQL ID 2337), highlighting an automated detection of a potentially dangerous pattern.
For security teams and platform engineers deploying Kyverno in containerized or multi-tenant Linux environments, this vulnerability introduces a tangible, if complex, attack vector. An attacker with the ability to manipulate symlinks could potentially escalate privileges or alter critical system files by exploiting this race condition. The discovery underscores the persistent challenges in securing file system operations against timing attacks and the subtle inconsistencies in how different operating systems handle security flags. Immediate scrutiny of deployments and application of any forthcoming patches from the Kyverno maintainers is advised.