Bug 2457729 (CVE-2026-35469) - CVE-2026-35469 Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver: Denial of Service via SPDY streaming code
Summary: CVE-2026-35469 Kubelet: CRI-O: kube-apiserver: Kubelet, CRI-O, kube-apiserver...
Keywords:
Status: NEW
Alias: CVE-2026-35469
Deadline: 2026-04-13
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2467585 2467586 2467587 2467588 2467589 2467591 2467592 2467593 2467594 2467595 2467596 2467597 2467598 2467600 2467601 2467602 2467603 2467590 2467599 2467604 2467605 2467606
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-13 03:53 UTC by OSIDB Bzimport
Modified: 2026-05-07 04:25 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-13 03:53:46 UTC 
Summary:
Possible DOS in SPDY streaming code, used for attach, exec and port forwarding.

Requirements To Exploit:
Access to the kubelet's endpoint (granted through nodes/proxy) or access to any of portforward, exec, or attach to pods. These all can be represented by the cluster roles

pods/portforward (create)

pods/exec (create)

pods/attach (create)

nodes/proxy (get/create)

Component Affected:
Kubelet, CRI-O, kube-apiserver

Version Affected:
Openshift 4.21.4 and below

Patch Available:
yes

Version Fixed:
none yet

Cvss:
(Based on [_https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator_]). Please note that only the Base Score Metrics are required by the incident response team.

Impact:
Based on the https://access.redhat.com/security/updates/classification , what do you think would be the impact and why? This helps a lot the analyst to understand why such a report must be or not considered Moderate/Important or even Critical.

Steps To Reproduce:
apply:

```

—
apiVersion: v1
kind: ServiceAccount
metadata:
name: poc-sa-portforward
namespace: default
—
apiVersion: [rbac.authorization.k8s.io/v1:(http://rbac.authorization.k8s.io/v1)(http://rbac.authorization.k8s.io/v1)]
kind: Role
metadata:
name: poc-role-portforward
namespace: default
rules:

apiGroups: [""]
 resources: ["pods/portforward"]
 verbs: ["create"]
—
apiVersion: [rbac.authorization.k8s.io/v1:(http://rbac.authorization.k8s.io/v1)(http://rbac.authorization.k8s.io/v1)]
kind: RoleBinding
metadata:
 name: poc-rb-portforward
 namespace: default
subjects:

kind: ServiceAccount
 name: poc-sa-portforward
 namespace: default
roleRef:
 kind: Role
 name: poc-role-portforward
 apiGroup: [rbac.authorization.k8s.io](http://rbac.authorization.k8s.io/)
—
apiVersion: v1
kind: Pod
metadata:
 name: poc-target
 namespace: default
spec:
 containers:

name: nginx
 image: nginx:alpine

```

set env:

```

export API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | sed 's|https://||')

export TOKEN=$(kubectl create token poc-sa-portforward)

export POD=poc-target

```

run attached poc_portforward.py

Mitigation:
disable the above cluster roles from untrusted users.

Embargo Reason:
Coordination with three upstream communities: containerd, CRI-O, kubernetes

Original Report:
https://github.com/moby/spdystream/security/advisories/GHSA-pc3f-x583-g7j2
Note You need to log in before you can comment on or make changes to this bug.