CVE-2026-33022
Received Received - Intake
Denial-of-Service in Tekton Pipelines via Long Resolver Names

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33022
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linuxfoundation tekton_pipelines From 0.60.0 (inc) to 1.0.1 (exc)
linuxfoundation tekton_pipelines From 1.1.0 (inc) to 1.3.3 (exc)
linuxfoundation tekton_pipelines From 1.10.0 (inc) to 1.10.2 (exc)
linuxfoundation tekton_pipelines From 1.4.0 (inc) to 1.6.1 (exc)
linuxfoundation tekton_pipelines From 1.7.0 (inc) to 1.9.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33022 is a denial-of-service vulnerability in the Tekton Pipelines controller affecting versions from 0.60.0 through 1.10.0. It occurs when a user with permission to create TaskRun or PipelineRun resources sets the resolver name field (.spec.taskRef.resolver or .spec.pipelineRef.resolver) to a string of 31 or more characters. This causes the controller to generate a name that exceeds the DNS-1123 label limit of 63 characters.'}, {'type': 'paragraph', 'content': "The controller's truncation logic tries to shorten the generated name by searching for the last space character, but since the name contains no spaces, this results in an invalid slice operation causing a runtime panic. This panic crashes the controller, which then enters a CrashLoopBackOff state on restart because it repeatedly tries to reconcile the offending resource."}, {'type': 'paragraph', 'content': 'As a result, all TaskRun and PipelineRun reconciliations are blocked cluster-wide until the problematic resource is manually deleted. Built-in resolvers with short names are unaffected, but any custom resolver name longer than 30 characters triggers the bug.'}, {'type': 'paragraph', 'content': 'The vulnerability is caused by improper validation of array indexes (CWE-129) and was fixed by changing the truncation logic to preserve the hash suffix and truncate only the resolver name prefix, ensuring the generated name fits within the DNS-1123 limit.'}] [1]

Impact Analysis

This vulnerability can cause a denial-of-service condition in your Tekton Pipelines controller. If exploited, the controller crashes and enters a CrashLoopBackOff state, preventing any TaskRun or PipelineRun resources from being reconciled.

This means your CI/CD pipelines managed by Tekton will be blocked cluster-wide, halting automated build, test, and deployment workflows until the offending resource is manually removed or the controller is patched.

Since any user with permission to create TaskRun or PipelineRun resources can trigger this by using a long custom resolver name, it poses a risk especially in multi-tenant or shared cluster environments.

The impact is availability-related, with no direct confidentiality or integrity loss, but it can significantly disrupt development and deployment processes.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for TaskRun or PipelineRun resources that have a .spec.taskRef.resolver or .spec.pipelineRef.resolver field set to a string of 31 or more characters. Such resources trigger a panic in the Tekton Pipelines controller, causing it to crash and enter a CrashLoopBackOff state.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can query your Kubernetes cluster for TaskRun or PipelineRun resources with long resolver names. For example, you can use kubectl commands to list these resources and filter by resolver name length.'}, {'type': 'list_item', 'content': "kubectl get taskruns --all-namespaces -o json | jq '.items[] | select(.spec.taskRef.resolver != null and (.spec.taskRef.resolver | length) >= 31) | {namespace: .metadata.namespace, name: .metadata.name, resolver: .spec.taskRef.resolver}'"}, {'type': 'list_item', 'content': "kubectl get pipelineruns --all-namespaces -o json | jq '.items[] | select(.spec.pipelineRef.resolver != null and (.spec.pipelineRef.resolver | length) >= 31) | {namespace: .metadata.namespace, name: .metadata.name, resolver: .spec.pipelineRef.resolver}'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring the Tekton Pipelines controller logs for CrashLoopBackOff events or panic stack traces related to slice bounds out of range can help identify if the vulnerability is being triggered.'}] [1]

Mitigation Strategies

The recommended immediate mitigation is to restrict permissions to create or update TaskRun and PipelineRun resources in your Kubernetes cluster using RBAC policies. This prevents untrusted users from exploiting the vulnerability by creating resources with long resolver names.

Since no validation-side workaround exists without patching, you should upgrade your Tekton Pipelines controller to a patched version. Patched versions include 1.0.1, 1.3.3, 1.6.1, 1.9.2, and 1.10.2.

If the controller is already crashing due to this issue, manually delete the offending TaskRun or PipelineRun resource with the long resolver name to restore controller functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart