Back

openSUSE Kubernetes Denial of Service Vulnerabilities Addressed

Severity: Medium (Score: 57.9)

Sources: Linuxsecurity

Published: 2026-06-10 · Updated: 2026-06-10

Keywords: opensuse, kubernetes, denial, service, update, kubernetes1, fixes

Summary

openSUSE has released important updates for Kubernetes versions 1.23 and 1.26 to address two critical denial of service vulnerabilities. CVE-2026-33814 involves an infinite loop in HTTP/2 transport when bad SETTINGS_MAX_FRAME_SIZE is provided, while CVE-2026-35469 relates to memory amplification in SPDY frame parsing. Both vulnerabilities could lead to significant service disruptions. The updates were published on June 9, 2026, and are rated as important. Affected systems include openSUSE Leap 15.3 and 15.4, as well as SUSE Linux Enterprise High Performance Computing and Server for SAP Applications. Administrators are advised to apply the patches using recommended installation methods. The vulnerabilities were disclosed in May and April 2026, respectively. Key Points: • Two denial of service vulnerabilities in Kubernetes 1.23 and 1.26 have been patched. • CVE-2026-33814 and CVE-2026-35469 could lead to significant service disruptions. • Administrators are urged to apply the updates immediately using SUSE's recommended methods.

Detailed Analysis

**Impact** Users of openSUSE Kubernetes versions 1.23 and 1.26 are affected by denial of service vulnerabilities. This impacts deployments running on openSUSE Leap 15.3, 15.4, and SUSE Linux Enterprise High Performance Computing and Server for SAP Applications editions, potentially disrupting cloud-native applications and services. No specific sectors or geographies are mentioned, but the vulnerabilities could affect any organization relying on these Kubernetes versions for container orchestration. **Technical Details** Two vulnerabilities are addressed: CVE-2026-33814, an infinite loop in the HTTP/2 transport triggered by malformed SETTINGS_MAX_FRAME_SIZE values, and CVE-2026-35469, a memory amplification issue in SPDY frame parsing leading to denial of service. Both allow remote attackers to cause service disruption without authentication. The flaws reside in golang.org/x/net/http2 and github.com/moby/spdystream components used by Kubernetes. No malware, tools, or IOCs are provided. **Recommended Response** Apply the SUSE patches immediately using YaST online_update or the provided zypper commands for the relevant product versions (SUSE-2026-2315 for Kubernetes 1.23 and SUSE-2026-2325 for Kubernetes 1.26). Monitor Kubernetes HTTP/2 traffic for abnormal frame sizes or memory usage spikes indicative of exploitation attempts. Harden HTTP/2 and SPDY protocol handling where possible. No additional detection rules or indicators were specified.

Source articles (2)

  • OpenSUSE Kubernetes 1.26 Faces Serious Denial of Service Vulnerability — Linuxsecurity · 2026-06-10
    ## This update for kubernetes1.26 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…
  • openSUSE Kubernetes Important Denial of Service Fix 2026-2315 — Linuxsecurity · 2026-06-10
    ## This update for kubernetes1.23 fixes the following issues * CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE (bsc#1265740). * CVE-202…

Timeline

  • 2026-04-16 — CVE-2026-35469 published: CVE-2026-35469 disclosed, detailing memory amplification in SPDY frame parsing.
  • 2026-05-07 — CVE-2026-33814 published: CVE-2026-33814 disclosed, involving an infinite loop in HTTP/2 transport.
  • 2026-06-09 — Patches released for Kubernetes vulnerabilities: SUSE released updates for Kubernetes 1.23 and 1.26 to address critical vulnerabilities.

CVEs

  • CVE-2026-33814
  • CVE-2026-35469

Related entities

  • Denial of Service (Attack Type)
  • golang.org (Domain)
  • Kubernetes (Platform)
  • OpenSUSE Leap 15.3 (Platform)
  • SUSE Linux Enterprise High Performance Computing Espos 15 SP4 (Platform)
  • SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (Platform)
  • SUSE Linux Enterprise Server For SAP Applications (Platform)
  • OpenSUSE (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed