Kyverno TLS 1.3 Vulnerability (CVE-2026-32283): Key Update Deadlock Risks Denial of Service

A critical vulnerability in Kyverno's TLS 1.3 implementation can cause connections to deadlock and trigger uncontrolled resource consumption, creating a direct path to denial-of-service (DoS) attacks. The flaw, tracked as CVE-2026-32283, is triggered when one side of a TLS connection sends multiple key update messages within a single record after the initial handshake. This specific sequence causes the connection to freeze, leading to a resource exhaustion scenario that could cripple affected services.

The vulnerability is confirmed to impact multiple active branches of the Kyverno project, including the main development line, release-1.16, and release-1.17. The issue was identified through GitHub's code scanning (CodeQL ID 2338), highlighting a protocol-level weakness rather than an application logic error. This makes the flaw particularly insidious as it exploits a standard TLS 1.3 feature—key updates—in a non-standard way to induce a deadlock.

The presence of this vulnerability in stable release branches signals that deployed instances of Kyverno, a popular Kubernetes policy engine, could be at immediate risk. Administrators relying on these versions for cluster security are now under pressure to review their deployments. While a patch is not yet detailed in the source, the public disclosure via a CVE and GitHub security advisory places significant scrutiny on the project's maintainers to provide a swift fix before the flaw is weaponized in the wild.