Executive Summary

CVE-2026-26963 is a moderate severity vulnerability affecting Cilium versions 1.18.0 through 1.18.5 when Native Routing, WireGuard, and Node Encryption are enabled simultaneously.

The vulnerability occurs because ingress traffic arriving via the WireGuard interface (cilium_wg0) is not properly routed through the host network stack for host firewall policy enforcement after decryption.

As a result, traffic from Pods on other nodes can bypass intended host-level security controls, allowing unauthorized traffic to be permitted.

This issue was fixed in Cilium version 1.18.6 by ensuring that packets destined for the local host are redirected through the cilium_host interface and the appropriate BPF programs to enforce host firewall ingress policies.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized network traffic from Pods on other nodes to bypass host firewall policies.

The attack vector is adjacent network access with low complexity and requires no privileges or user interaction.

The impact includes a loss of confidentiality and integrity of data, as unauthorized traffic can be permitted, but it does not affect availability.

This could lead to potential exposure of sensitive data or unauthorized access within your network environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when Cilium versions 1.18.0 through 1.18.5 have Native Routing, WireGuard, and Node Encryption enabled simultaneously, causing ingress traffic arriving via the WireGuard interface (cilium_wg0) to bypass host firewall policies.

To detect if your system is affected, check if your Cilium version is within the vulnerable range and if the three features (Native Routing, WireGuard, and Node Encryption) are enabled.

A practical way to verify the presence of the vulnerability is to inspect routing rules related to the WireGuard interface (cilium_wg0) and whether ingress traffic is properly routed through the host network stack for policy enforcement.

Suggested commands to help detect or mitigate the issue by explicitly routing ingress traffic from cilium_wg0 to cilium_host (which also serves as a detection step) are:

• For IPv4 traffic: ip rule add iif cilium_wg0 table 300
• ip route add default dev cilium_host table 300
• For IPv6 traffic: ip -6 rule add iif cilium_wg0 table 300
• ip -6 route add default dev cilium_net table 300

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Cilium version 1.18.6, so the primary mitigation step is to upgrade your Cilium deployment to version 1.18.6 or later.

If immediate upgrade is not possible, a locally validated mitigation involves explicitly routing all ingress traffic from the WireGuard interface (cilium_wg0) to the cilium_host interface to ensure host firewall policies are applied.

The recommended commands to implement this mitigation on each Cilium node are:

• For IPv4 traffic: ip rule add iif cilium_wg0 table 300
• ip route add default dev cilium_host table 300
• For IPv6 traffic: ip -6 rule add iif cilium_wg0 table 300
• ip -6 route add default dev cilium_net table 300

Useful 0 Not Useful 0