FKIE_CVE-2026-3864

Vulnerability from fkie_nvd - Published: 2026-03-20 23:16 - Updated: 2026-03-23 14:32
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary
A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server.
References
jordan@liggitt.nethttps://github.com/kubernetes/kubernetes/issues/137797
jordan@liggitt.nethttps://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/17/1
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or modification of directories on the NFS server."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 una vulnerabilidad en el controlador CSI de Kubernetes para NFS donde el par\u00e1metro subDir en los identificadores de volumen no se validaba suficientemente. Atacantes con la capacidad de crear PersistentVolumes que hacen referencia al controlador CSI de NFS podr\u00edan crear identificadores de volumen que contienen secuencias de salto de ruta (../). Durante las operaciones de eliminaci\u00f3n o limpieza de volumen, el controlador podr\u00eda operar en directorios no deseados fuera de la ruta gestionada prevista dentro de la exportaci\u00f3n NFS. Esto podr\u00eda llevar a la eliminaci\u00f3n o modificaci\u00f3n de directorios en el servidor NFS."
    }
  ],
  "id": "CVE-2026-3864",
  "lastModified": "2026-03-23T14:32:02.800",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "jordan@liggitt.net",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T23:16:48.303",
  "references": [
    {
      "source": "jordan@liggitt.net",
      "url": "https://github.com/kubernetes/kubernetes/issues/137797"
    },
    {
      "source": "jordan@liggitt.net",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/i4ZKN9VLcUE"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/17/1"
    }
  ],
  "sourceIdentifier": "jordan@liggitt.net",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "jordan@liggitt.net",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.