CVE-2026-31890

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31890

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31890.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31890

Aliases

GHSA-wv52-frfv-mfh4

Published

2026-03-12T17:35:02.129Z

Modified

2026-04-10T05:42:12.538057Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Inspektor Gadget: Tracing Denial of Service via Event Flooding

Details

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. Prior to 0.50.1, in a situation where the ring-buffer of a gadget is – incidentally or maliciously – already full, the gadget will silently drop events. The include/gadget/buffer.h file contains definitions for the Buffer API that gadgets can use to, among the other things, transfer data from eBPF programs to userspace. For hosts running a modern enough Linux kernel (>= 5.8), this transfer mechanism is based on ring-buffers. The size of the ring-buffer for the gadgets is hard-coded to 256KB. When a gadgetreservebuf fails because of insufficient space, the gadget silently cleans up without producing an alert. The lost count reported by the eBPF operator, when using ring-buffers – the modern choice – is hardcoded to zero. The vulnerability can be used by a malicious event source (e.g. a compromised container) to cause a Denial Of Service, forcing the system to drop events coming from other containers (or the same container). This vulnerability is fixed in 0.50.1.

Database specific

{
    "cwe_ids": [
        "CWE-223",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31890.json"
}

References

Affected packages

Git / github.com/inspektor-gadget/inspektor-gadget

Affected ranges

Type: GIT
Repo: https://github.com/inspektor-gadget/inspektor-gadget
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

64b90d99ca8e6f3c4153ea3c94599b230e73fdef

Affected versions

v0.*

v0.1.0

v0.1.0-alpha.1

v0.1.0-alpha.4

v0.1.0-alpha.5

v0.10.0

v0.11.0

v0.11.0-rc

v0.12.0

v0.12.0-rc

v0.12.1

v0.13.0

v0.13.0-rc

v0.14.0

v0.14.0-rc

v0.15.0

v0.15.0-rc

v0.16.0

v0.16.0-rc

v0.16.1

v0.17.0

v0.18.0

v0.18.1

v0.19.0

v0.2.0

v0.2.1

v0.20.0

v0.21.0

v0.22.0

v0.23.0

v0.23.1

v0.24.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.29.0

v0.3.0

v0.3.1

v0.30.0

v0.31.0

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.36.0

v0.37.0

v0.38.0

v0.39.0

v0.4.0

v0.4.1

v0.4.2

v0.40.0

v0.41.0

v0.42.0

v0.43.0

v0.44.0

v0.45.0

v0.46.0

v0.47.0

v0.48.0

v0.49.0

v0.5.0

v0.5.1

v0.50.0

v0.6.0

v0.7.0

v0.7.1

v0.8.0

v0.9.0

v0.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31890.json"