CVE-2026-34992
IPv6 Traffic Encryption Bypass in Antrea Dual-Stack Clusters
Publication date: 2026-04-06
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | antrea | to 2.4.5 (exc) |
| linuxfoundation | antrea | From 2.5.0 (inc) to 2.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34992 is a vulnerability in Antrea, a Kubernetes networking solution, affecting dual-stack Kubernetes clusters configured with IPsec encryption. In these clusters, IPv6 Pod traffic between nodes is not encrypted, while IPv4 traffic is correctly encrypted using IPsec ESP. This happens because IPv6 packets, encapsulated via Geneve or VXLAN, bypass the IPsec encryption layer and are transmitted in plaintext. Single-stack IPv4 or IPv6 clusters are not affected.
The vulnerability arises from Antrea failing to apply IPsec encryption to IPv6 Pod traffic in dual-stack environments, exposing inter-Node Pod traffic confidentiality. The issue was fixed in Antrea versions 2.4.5, 2.5.2, and later.
How can this vulnerability impact me? :
This vulnerability impacts users running dual-stack Kubernetes clusters with IPsec encryption enabled in Antrea. Specifically, IPv6 Pod traffic between nodes is transmitted unencrypted, exposing sensitive inter-Node Pod traffic to potential interception or eavesdropping.
Since IPv4 traffic remains encrypted, the risk is limited to IPv6 traffic in dual-stack environments. Single-stack IPv4 or IPv6 clusters are not affected.
There is no configuration workaround to enable IPv6 IPsec encryption in affected versions, so users must upgrade to fixed versions or use WireGuard encryption as an alternative.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability can be detected by verifying the IPsec encryption functionality within Antrea clusters using the command `antctl check installation --run ipsec`. This command performs a comprehensive IPsec validation test.
- Confirms IPsec is enabled by checking the `trafficEncryptionMode` configuration.
- Establishes inter-node connectivity using ping tests.
- Captures ESP (Encapsulating Security Payload) packets via `tcpdump` to verify that traffic is encrypted.
- Ensures no unencrypted tunnel packets are present for GRE, Geneve, or VXLAN protocols.
- Parses the output of the `ipsec status` command to validate security associations.
This validation tool helps confirm that both IPv4 and IPv6 traffic are properly encrypted with ESP, detecting if IPv6 traffic is bypassing IPsec encryption.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Antrea to a fixed version: 2.4.5, 2.5.2, or later (including 2.6.0). These versions include the fix that ensures IPv6 Pod traffic is encrypted over IPsec in dual-stack clusters.
If immediate upgrade is not possible, users can switch to using WireGuard for inter-Node Pod traffic encryption, as it is not affected by this vulnerability.
No configuration workaround exists to enable IPsec IPv6 encryption in affected versions prior to the fix.
After upgrading or switching encryption modes, verify encryption status using `antctl check installation --run ipsec`.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Antrea prior to versions 2.4.5 and 2.5.2 causes IPv6 Pod traffic in dual-stack Kubernetes clusters with IPsec encryption enabled to be transmitted in plaintext instead of being encrypted. This missing encryption of IPv6 inter-Node Pod traffic compromises the confidentiality of network communications.
Since confidentiality of data in transit is a critical requirement for compliance with common standards and regulations such as GDPR and HIPAA, this vulnerability could lead to non-compliance. Unencrypted IPv6 traffic may expose sensitive data to interception or unauthorized access, violating data protection and privacy obligations.
Therefore, affected users running dual-stack clusters with IPsec encryption enabled but using vulnerable Antrea versions may face increased risk of data breaches and regulatory penalties until they upgrade to fixed versions or use alternative encryption methods like WireGuard.