CVE-2026-63308
Received Received - Intake

Denial of Service in Helm via Zero-Length File Slices

Vulnerability report for CVE-2026-63308, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
helm helm From 3.13.0 (inc)
chat2db chat2db to 5.3.0 (exc)
helm helm 4.2.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63308 is a denial of service vulnerability in Helm versions up to 4.2.3. It occurs in the Files.Lines template helper where an index out of range panic happens when processing empty files in Helm charts. The function fails to check for zero-length byte slices, causing a panic during template rendering, install, upgrade, lint, or SDK Engine.Render operations.

Detection Guidance

To detect this vulnerability, check Helm version with 'helm version --short'. If using Helm v4.2.3 or earlier, or Helm v3.13.0 to v3.15.x, the system is vulnerable. Test for the issue by creating a Helm chart with an empty file and running 'helm template', 'helm install', or 'helm lint' to see if it causes a panic or render error.

Impact Analysis

This vulnerability allows attackers to cause deterministic render failures in Helm operations by including empty files in charts. This results in non-zero exit codes for commands like template, install, upgrade, and lint, disrupting normal workflows and automation.

Compliance Impact

This vulnerability causes deterministic render failures in Helm operations due to a panic in the Files.Lines function when processing empty files. While it does not directly expose or leak data, it could disrupt services relying on Helm for deployment or configuration management, potentially impacting availability. This may indirectly affect compliance with standards like GDPR or HIPAA by causing service disruptions that could lead to data processing delays or unavailability of critical systems.

Mitigation Strategies

Upgrade Helm to the latest patched version. For Helm v4, upgrade to v4.2.4 or later. For Helm v3, upgrade to v3.16.0 or later. If immediate upgrade is not possible, avoid using Helm charts with empty files or manually patch the Files.Lines function in pkg/engine/files.go to check for empty files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart