CSRG-2026-0521 — Kubernetes kube-proxy IPVS Connection Tracking Bypass

Cedar Mesa Security • Published May 19, 2026 • CRITICAL — PENDING DISCLOSURE

Summary

Cedar Mesa Security has identified a critical vulnerability in Kubernetes kube-proxy when operating in IPVS mode. A flaw in the IPVS connection tracking implementation allows pods to bypass Kubernetes Service-level network policies and access services in namespaces that should be unreachable.

The vulnerability is specific to clusters running kube-proxy with --proxy-mode=ipvs, which is the recommended production configuration for clusters with more than 1,000 services. Clusters using the default iptables proxy mode are not affected.

The issue can be exploited by any workload within the cluster to route traffic through stale IPVS connection tracking entries, effectively bypassing namespace-scoped service access controls. In multi-tenant clusters, this breaks the isolation boundary between tenant namespaces.

This advisory has been assigned the tracking identifier CSRG-2026-0521. A CVE ID has been requested through the Kubernetes security process and is pending assignment.

Affected Configuration

The vulnerability affects Kubernetes clusters where:

• kube-proxy is running in IPVS mode (--proxy-mode=ipvs)
• The cluster uses namespace-scoped network policies for service access control
• IPVS connection tracking is enabled (default when using IPVS mode)

Clusters using the iptables proxy mode are not affected. However, many production clusters with large service counts use IPVS mode for performance reasons, as recommended by the Kubernetes documentation.

Status

The Kubernetes Security Response Committee has confirmed the vulnerability and is developing a patch targeting the IPVS connection tracking subsystem. No further technical details will be published until the fix is available.

Cedar Mesa Security • Advisory CSRG-2026-0521 • Status: Embargo