CVE-2026-33022

MEDIUM EPSS 28.7%
Published Mar 20, 20263mo ago · Modified Mar 24, 20263mo ago
6.5 CVSS 3.1
Medium
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Mar 24, 2026 3mo ago

Description

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as it re-reconciles the offending resource), blocking all CI/CD reconciliation until the resource is manually deleted. Built-in resolvers (git, cluster, bundles, hub) are unaffected due to their short names, but any custom resolver name triggers the bug. The fix truncates the resolver-name prefix instead of the full string, preserving the hash suffix for determinism and uniqueness. This issue has been patched in versions 1.0.1, 1.3.3, 1.6.1, 1.9.2 and 1.10.2.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
28.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-129

Affected Products 5

VendorProductVersionRange
linuxfoundationtekton_pipelines*≥0.60.0  –  <1.0.1
linuxfoundationtekton_pipelines*≥1.1.0  –  <1.3.3
linuxfoundationtekton_pipelines*≥1.4.0  –  <1.6.1
linuxfoundationtekton_pipelines*≥1.7.0  –  <1.9.2
linuxfoundationtekton_pipelines*≥1.10.0  –  <1.10.2

References 2

  • github.com https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6
    Patch
  • github.com https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj
    PatchVendor Advisory

Remediation

  • github.com https://github.com/tektoncd/pipeline/commit/5eead3f859b9f938e86039e4d29185092c1d4ee6
    Patch
  • github.com https://github.com/tektoncd/pipeline/security/advisories/GHSA-cv4x-93xx-wgfj
    PatchVendor Advisory