CVE-2026-31890
Received Received - Intake
Silent Event Drop Denial of Service in Inspektor Gadget Ring-Buffer

Publication date: 2026-03-12

Last updated on: 2026-04-06

Assigner: GitHub, Inc.

Description
Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. Prior to 0.50.1, in a situation where the ring-buffer of a gadget is – incidentally or maliciously – already full, the gadget will silently drop events. The include/gadget/buffer.h file contains definitions for the Buffer API that gadgets can use to, among the other things, transfer data from eBPF programs to userspace. For hosts running a modern enough Linux kernel (>= 5.8), this transfer mechanism is based on ring-buffers. The size of the ring-buffer for the gadgets is hard-coded to 256KB. When a gadget_reserve_buf fails because of insufficient space, the gadget silently cleans up without producing an alert. The lost count reported by the eBPF operator, when using ring-buffers – the modern choice – is hardcoded to zero. The vulnerability can be used by a malicious event source (e.g. a compromised container) to cause a Denial Of Service, forcing the system to drop events coming from other containers (or the same container). This vulnerability is fixed in 0.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31890
EUVD
EUVD-2026-11641
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation inspektor_gadget to 0.50.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31890 is a Denial of Service (DoS) vulnerability in the inspektor-gadget project, which is a toolset for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The vulnerability occurs because the ring-buffer used to transfer event data from eBPF programs to userspace has a fixed size of 256 KB. When this buffer becomes full, either incidentally or due to malicious flooding, new events are silently dropped without any alert or logging.

The userspace component that reads events from the ring-buffer does not report any lost events because the lost event count is hardcoded to zero. This means that if the buffer is full, legitimate events can be lost without detection. An attacker who can generate arbitrary events (for example, from a compromised container) can flood the buffer, causing a Denial of Service by preventing other events from being recorded.

This vulnerability was fixed in inspektor-gadget version 0.50.1.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by causing a Denial of Service in the event tracing system of inspektor-gadget. If an attacker or a malfunctioning component floods the ring-buffer with events, legitimate events from other containers or processes will be silently dropped without any notification.'}, {'type': 'paragraph', 'content': "As a result, important security or system monitoring events may not be recorded or traced, potentially allowing malicious activity to go undetected. This can reduce the effectiveness of security monitoring and incident response mechanisms that rely on inspektor-gadget's event tracing."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for silent event drops in the inspektor-gadget event tracing system. Since the ring-buffer size is fixed at 256 KB and events are silently dropped when the buffer is full, one way to detect the issue is to observe if expected events are missing or not being traced.

A proof-of-concept involves running a flooding program that repeatedly opens and closes a file to fill the ring-buffer, causing subsequent monitored events (such as accesses to sensitive files like /etc/shadow) to be silently dropped.

Suggested commands to detect this behavior could include:

  • Run a program that generates a high volume of events, for example, repeatedly opening and closing a file in a loop to flood the ring-buffer.
  • Monitor inspektor-gadget logs or output for missing expected events, such as file access events to critical files.
  • Use standard Linux tools to observe system calls or file accesses, for example, using `strace` on processes or `auditctl` to monitor file access, and compare with inspektor-gadget event outputs to detect discrepancies.
Mitigation Strategies

The immediate mitigation step is to upgrade inspektor-gadget to version 0.50.1 or later, where this vulnerability is fixed.

Since the vulnerability arises from a hardcoded ring-buffer size and silent event drops, upgrading ensures that the buffer handling is corrected and lost event counts are properly reported.

Until the upgrade is applied, consider limiting the ability of untrusted containers or processes to generate excessive events that could flood the ring-buffer, to reduce the risk of Denial of Service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31890. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart