Back

Critical Denial of Service Vulnerabilities in openSUSE Kubernetes

Severity: High (Score: 72.0)

Sources: Linuxsecurity

Published: 2026-06-10 · Updated: 2026-06-11

Keywords: opensuse, kubernetes, denial, service, update, kubernetes1, fixes

Summary

Recent updates for openSUSE Kubernetes have addressed significant denial of service vulnerabilities, specifically CVE-2026-33814 and CVE-2026-35469. CVE-2026-33814, published on May 7, 2026, involves an infinite loop in HTTP/2 transport when bad SETTINGS_MAX_FRAME_SIZE is provided. CVE-2026-35469, published on April 16, 2026, relates to memory amplification in SPDY frame parsing, leading to potential denial of service. Affected versions include Kubernetes 1.23 through 1.28, with patches available for various openSUSE and SUSE Linux Enterprise products. The vulnerabilities pose a risk of service disruption for users running these Kubernetes versions. Administrators are advised to apply the latest patches immediately to mitigate risks. The updates were released on June 10, 2026, and are deemed important by SUSE. Key Points: • Critical denial of service vulnerabilities identified in openSUSE Kubernetes versions 1.23 to 1.28. • CVE-2026-33814 and CVE-2026-35469 are the primary vulnerabilities addressed in recent patches. • Administrators are urged to apply patches immediately to prevent potential service disruptions.

Detailed Analysis

**Impact** The vulnerabilities affect multiple versions of Kubernetes deployed on openSUSE Leap 15.x and SUSE Linux Enterprise High Performance Computing and Server platforms across various architectures (aarch64, ppc64le, s390x, x86_64). These issues can cause denial of service (DoS) conditions, potentially disrupting container orchestration and cloud-native workloads in sectors relying on Kubernetes infrastructure globally. No direct data breach or data loss is reported, but operational availability is at risk, impacting business continuity for enterprises using affected Kubernetes versions 1.23 through 1.28. **Technical Details** Two main vulnerabilities are addressed: CVE-2026-33814, an infinite loop in the golang.org/x/net/http2 HTTP/2 transport triggered by malformed SETTINGS_MAX_FRAME_SIZE frames, and CVE-2026-35469, a memory amplification flaw in github.com/moby/spdystream SPDY frame parsing leading to DoS. Both can be exploited remotely without authentication (CVE-2026-33814) or with limited privileges (CVE-2026-35469). The attack vector involves malformed network frames causing resource exhaustion during the transport layer communication phase. No malware, tools, or IOCs are specified in the reports. **Recommended Response** Apply the SUSE patches immediately for your Kubernetes version, using YaST online_update or zypper patch commands as per SUSE advisories SUSE-2026-2315 through SUSE-2026-2345, covering Kubernetes versions 1.23 to 1.28. Prioritize patching CVE-2026-33814 due to its unauthenticated remote exploitability. Monitor network traffic for anomalous HTTP/2 and SPDY frame sizes and patterns indicative of malformed SETTINGS_MAX_FRAME_SIZE frames. Harden Kubernetes client packages by ensuring dependencies such as `diffutils` are properly installed as per updated packages. No specific IOCs or detection signatures are currently available.

Source articles (8)

  • OpenSUSE Kubernetes 1.26 Faces Serious Denial of Service Vulnerability — Linuxsecurity · 2026-06-10
    ## This update for kubernetes1.26 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…
  • openSUSE Kubernetes Important Denial of Service Fix 2026-2315 — Linuxsecurity · 2026-06-10
    ## This update for kubernetes1.23 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…
  • openSUSE Kubernetes Important Denial Of Service Issues SUSE-2026-2345 — Linuxsecurity · 2026-06-11
    ## This update for kubernetes1.25 fixes the following issues: Security fixes: * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#12…
  • openSUSE Kubernetes Critical Denial of Service Fix Advisory 2026-2344 — Linuxsecurity · 2026-06-11
    ## This update for kubernetes1.28 fixes the following issues: Security fixes: * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#12…
  • openSUSE Kubernetes Significant Denial of Service Risk Issue 2026-2343 — Linuxsecurity · 2026-06-11
    ## This update for kubernetes1.24 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…
  • openSUSE Kubernetes Important Denial of Service Update 2026-2342 — Linuxsecurity · 2026-06-11
    ## This update for kubernetes fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265748). * CVE-2026-35…
  • openSUSE Kubernetes Important DDoS Fix CVE-2026-33814 2026-2340 — Linuxsecurity · 2026-06-11
    ## This update for kubernetes1.23 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…
  • openSUSE Kubernetes 1.27 Faces Significant Denial of Service Vulnerability — Linuxsecurity · 2026-06-11
    ## This update for kubernetes1.27 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…

Timeline

  • 2026-04-16 — CVE-2026-35469 published: Memory amplification in SPDY frame parsing leads to denial of service in Kubernetes.
  • 2026-05-07 — CVE-2026-33814 published: Infinite loop vulnerability in HTTP/2 transport when bad SETTINGS_MAX_FRAME_SIZE is provided.
  • 2026-06-10 — Patches released for Kubernetes: SUSE released important updates for Kubernetes versions 1.23 to 1.28 to address critical vulnerabilities.
  • 2026-06-11 — Security advisory issued: SUSE emphasizes the importance of applying the latest patches to mitigate denial of service risks.

CVEs

  • CVE-2026-33814
  • CVE-2026-35469

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • golang.org (Domain)
  • Github.com/moby/spdystream (Platform)
  • Golang.org/x/net/http2 (Platform)
  • HTTP/2 (Platform)
  • Kubernetes (Platform)
  • Linux (Platform)
  • OpenSUSE Leap 15.3 (Platform)
  • OpenSUSE Leap 15.5 (Platform)
  • SPDY (Platform)
  • SUSE Linux Enterprise High Performance Computing Espos 15 SP4 (Platform)
  • SUSE Linux Enterprise High Performance Computing Espos 15 SP5 (Platform)
  • SUSE Linux Enterprise High Performance Computing LTSS (Platform)
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (Platform)
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (Platform)
  • SUSE Linux Enterprise Server For SAP Applications (Platform)
  • OpenSUSE (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed