CVE-2026-23766
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-02-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| istio | istio | to 1.28.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Istio up to version 1.28.2 involves the `traffic.sidecar.istio.io/excludeInterfaces` annotation accepting arbitrary strings without validation. This allows users to inject iptables match parameters, which can alter firewall behavior unexpectedly. The issue arises because the annotation does not restrict input to valid Linux network interface names, enabling injection of potentially malicious parameters. Although pod creators can exclude sidecar injection entirely, this lack of input validation can cause unintended side effects. A fix has been implemented to enforce strict validation of interface names, limiting them to valid Linux interface naming conventions. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing injection of arbitrary iptables match parameters through the `excludeInterfaces` annotation, potentially changing firewall behavior in unintended ways. This could lead to misconfigured network traffic rules within the Istio service mesh, possibly affecting network security or traffic routing. However, since pod creators can already exclude sidecar injection entirely, the practical security risk is limited. The vulnerability mainly causes unclear or unintended behavior rather than direct compromise. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the usage of the `traffic.sidecar.istio.io/excludeInterfaces` annotation in your Istio deployments. Look for annotations containing arbitrary strings that include iptables parameters rather than valid Linux network interface names. You can check pod annotations with commands like `kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.annotations.traffic\.sidecar\.istio\.io/excludeInterfaces}{"\n"}{end}'` to identify suspicious or malformed values. Additionally, reviewing iptables rules injected by Istio sidecars for unexpected parameters may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, ensure that the `traffic.sidecar.istio.io/excludeInterfaces` annotation is only set with valid Linux network interface names that comply with the following constraints: maximum length of 15 characters, only alphanumeric characters, underscores (_), hyphens (-), and dots (.), and no empty names. Avoid using arbitrary strings or iptables parameters in this annotation. If possible, update Istio to a version that includes the fix implementing strict input validation for this annotation. Additionally, restrict who can create or modify pods with this annotation to trusted users to prevent injection of malicious parameters. [2]