CVE-2026-32241— flannel 命令注入漏洞

Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection

Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allows an attacker who can set Kubernetes Node annotations to achieve root-level arbitrary command execution on every flannel node in the cluster. The Extension backend's SubnetAddCommand and SubnetRemoveCommand receive attacker-controlled data via stdin (from the `flannel.alpha.coreos.com/backend-data` Node annotation). The content of this annotation is unmarshalled and piped directly to a shell command without checks. Kubernetes clusters using Flannel with the Extension backend are affected by this vulnerability. Other backends such as vxlan and wireguard are unaffected. The vulnerability is fixed in version v0.28.2. As a workaround, use Flannel with another backend such as vxlan or wireguard.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

在命令中使用的特殊元素转义处理不恰当(命令注入)

flannel 命令注入漏洞

flannel是flannel-io开源的一个Kubernetes集群网络解决方案。 flannel 0.28.2之前版本存在命令注入漏洞，该漏洞源于实验性Extension后端，攻击者可通过设置Kubernetes节点注释将攻击者控制的数据通过标准输入直接传递给shell命令，可能导致在集群中的每个flannel节点上实现root级别的任意命令执行。

N/A

N/A