Coordinated Disclosure Timeline: Cilium eBPF Network Policy Bypass

Cedar Mesa Security • Timeline Published May 12, 2026 • Last Updated May 18, 2026 • CRITICAL — PRE-DISCLOSURE

Disclosure Status: This advisory is in the coordinated disclosure phase. Cedar Mesa Security is working with the Cilium Security Team to develop and validate a patch. Full technical details, CVSS scoring, and remediation guidance will be published when the embargo lifts on May 20, 2026.

Summary

Cedar Mesa Security identified a vulnerability in Cilium's eBPF-based network policy enforcement that allows pod-to-pod traffic to bypass L4 network policies under specific CNI configurations. The vulnerability affects Cilium deployments using the default eBPF datapath when certain kernel versions and CNI chaining configurations are present.

The issue can be exploited by a workload within the cluster to communicate with pods in namespaces that should be unreachable according to configured Cilium network policies. This breaks the network segmentation guarantees that many organizations rely on for multi-tenant Kubernetes deployments.

Disclosure Timeline

2026-04-28: Vulnerability discovered during Cedar Mesa audit of Cilium eBPF policy datapath

2026-04-29: Initial report submitted to the Cilium Security Team via security@cilium.io

2026-05-05: Cilium Security Team acknowledges receipt and confirms the issue is reproducible

2026-05-08: Cilium assigns internal tracking and begins patch development

2026-05-12: This disclosure timeline published to coordinate with affected downstream vendors

2026-05-19: Patch expected to be merged into Cilium 1.16.1 release branch

2026-05-20: Public advisory with full technical details, affected versions, CVSS score, and remediation

Scope

The vulnerability is tracked as CSRG-2026-0512-CILIUM. A CVE ID has been requested through the Cilium security process. The affected component is Cilium's eBPF L4 policy enforcement in the kernel datapath. Specific affected Cilium versions and kernel version requirements will be published with the full advisory on May 20.

Recommendations

Organizations running Cilium in production should monitor this page and the Cilium security announcements mailing list for the May 20 advisory. No immediate action is required prior to the advisory publication, but teams should prepare for a Cilium upgrade cycle once the patch is available.

Cedar Mesa Security • Advisory CSRG-2026-0512-CILIUM • Status: Pre-disclosure