CVE-2026-23766
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-02-14

Assigner: MITRE

Description
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-02-14
NVD
CVE-2026-23766
EUVD
EUVD-2026-2704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
istio istio to 1.28.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Istio up to version 1.28.2 involves the `traffic.sidecar.istio.io/excludeInterfaces` annotation accepting arbitrary strings without validation. This allows users to inject iptables match parameters, which can alter firewall behavior unexpectedly. The issue arises because the annotation does not restrict input to valid Linux network interface names, enabling injection of potentially malicious parameters. Although pod creators can exclude sidecar injection entirely, this lack of input validation can cause unintended side effects. A fix has been implemented to enforce strict validation of interface names, limiting them to valid Linux interface naming conventions. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing injection of arbitrary iptables match parameters through the `excludeInterfaces` annotation, potentially changing firewall behavior in unintended ways. This could lead to misconfigured network traffic rules within the Istio service mesh, possibly affecting network security or traffic routing. However, since pod creators can already exclude sidecar injection entirely, the practical security risk is limited. The vulnerability mainly causes unclear or unintended behavior rather than direct compromise. [1, 2]

Detection Guidance

This vulnerability can be detected by inspecting the usage of the `traffic.sidecar.istio.io/excludeInterfaces` annotation in your Istio deployments. Look for annotations containing arbitrary strings that include iptables parameters rather than valid Linux network interface names. You can check pod annotations with commands like `kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.annotations.traffic\.sidecar\.istio\.io/excludeInterfaces}{"\n"}{end}'` to identify suspicious or malformed values. Additionally, reviewing iptables rules injected by Istio sidecars for unexpected parameters may help detect exploitation attempts. [1, 2]

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that the `traffic.sidecar.istio.io/excludeInterfaces` annotation is only set with valid Linux network interface names that comply with the following constraints: maximum length of 15 characters, only alphanumeric characters, underscores (_), hyphens (-), and dots (.), and no empty names. Avoid using arbitrary strings or iptables parameters in this annotation. If possible, update Istio to a version that includes the fix implementing strict input validation for this annotation. Additionally, restrict who can create or modify pods with this annotation to trusted users to prevent injection of malicious parameters. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart