CVE-2024-42488

MEDIUM6.8EPSS 0.03%

Policy bypass for Host Firewall policy due to race condition in Cilium agent

Published: 8/15/2024Modified: 2/4/2026

Description

### Impact A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass. ### Patches This issue was fixed in https://github.com/cilium/cilium/pull/33511. This issue affects: - All versions of Cilium before v1.14.14 - Cilium v1.15 between v1.15.0 and v1.15.7 inclusive This issue has been patched in: - Cilium v1.14.14 - Cilium v1.15.8 ### Workarounds As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected. ### Acknowledgements The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @skmatti for raising and resolving this issue. ### For more information If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack). If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [[email protected]](mailto:[email protected]). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Affected packages (5)

Bitnami/cilium>= 1.15.4, < 1.16.0
Bitnami/cilium-operator>= 1.15.4, < 1.16.0
Bitnami/hubble-relayfrom 0, < 1.16.0
Go/github.com/cilium/ciliumfrom 0, < 1.14.14
Go/github.com/cilium/ciliumfrom 0, < 1.14.14, >= 1.15.0, < 1.15.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Description

Affected packages (5)

CVSS scores

References (7)