Why Kubernetes CVE records still flag unfixed issues

The record changes, not the vulnerability

The Kubernetes CVE records for CVE-2020-8561, CVE-2020-8562, and CVE-2021-25740 were corrected on 1 June 2026 so they show all versions as affected. Earlier metadata had fixed-version fields in places where there was no upstream fix. That sort of mistake is easy to miss until someone generates the machine-readable vulnerability data and notices the ranges do not line up.

That matters because scanners do not read intent. They read version ranges from CVE and OSV files, then mark a package or cluster version as affected or not affected. If the record says a version is fixed, a scanner can go quiet even when the behaviour is still present. When the record is later corrected, the same scanner starts lighting up again. Same cluster, different paperwork.

OSV files exposed the bad fixed-version fields

The discrepancy showed up while generating official OSV files. That is the unglamorous part of vulnerability management: the file format is often where mistakes become visible, because it forces the version ranges into something a tool can compare without guessing.

For these Kubernetes CVE records, the corrected OSV data is the point where the broken fixed-version fields stop hiding the issue. The scanner result changes because the metadata changes, not because the cluster changed. If a tool keys off the record, it will follow that correction exactly.

Scanner behaviour follows the metadata, not the patch notes

Vulnerability scanners are only as honest as the version data they ingest. They do not inspect whether a cluster has a risky redirect path, a DNS race, or loose endpoint permissions. They ask whether the running version matches the affected range.

That creates two ugly failure modes. One is a false negative when bad fixed tags make the issue look resolved. The other is a sudden flood of findings after the metadata is repaired, which looks like a new incident if nobody knows the records were wrong in the first place.

The issues stay open because the behaviour is architectural

These CVEs are not waiting on a normal patch cycle. The underlying behaviour is baked into how the components work, so the fix is usually a boundary change, a restriction, or a careful setting rather than a new binary.

kube-apiserver redirect handling and DNS resolution

One case involves kube-apiserver following HTTP redirects for admission webhook requests. A redirect can send the API server towards a private network target if the webhook configuration allows it. That is why AdmissionWebhookConfiguration matters here: the webhook path is part of the attack surface, not just a plumbing detail.

Another piece is the API server proxy and DNS resolution. The proxy validates DNS, then resolves again before connecting. That leaves room for a DNS time-of-check to time-of-use race, where the name looked harmless at validation time and points somewhere else when the connection is made. Pinning a resolved IP sounds neat until split-horizon DNS or changing backend addresses turn it into a nuisance. Kubernetes does not get to pretend the network is static just because a scanner would prefer it.

The practical controls are dull, which is usually a sign they are real. Keep API server log verbosity below 10, set --v to less than 10, and disable profiling with --profiling=false. Using a local DNS caching resolver such as dnsmasq for kube-apiserver helps when DNS answers need to stay consistent long enough for the server to stop tripping over them. dnsmasq min-cache-ttl can also reduce churn in the answer set.

EndpointSlice, manual backends, and RBAC drift

The other issue set sits around Endpoints and EndpointSlice. Manual backend IP specification is allowed, which means traffic can be pointed at places that do not match the neat mental model of one service, one backend, one namespace. That is useful for some setups and awkward for security reviews.

Write access to Endpoints and EndpointSlice is where the drift tends to show up. Broad roles that still have those permissions can quietly keep shaping traffic after an upgrade. Since Kubernetes 1.22, the default edit and admin ClusterRoles no longer include those permissions, but older clusters often keep custom or aggregated roles that were never cleaned up.

The specific mess to look for is system:aggregate-to-edit. If a cluster was upgraded from an older release, it is worth checking whether that aggregated role still grants Endpoints write access. kubectl auth reconcile can strip those permissions back out when the cluster uses RBAC authorisation mode. That is not glamorous, but it stops a stale permission from becoming a routing primitive.

What to check in a cluster before you trust the scan

A clean scanner result does not mean much if the cluster still accepts the risky behaviour. The first check is whether the API server and webhook settings are tightened enough that redirect and DNS tricks have nowhere useful to land.

Tighten API server flags and webhook exposure

Start with the boring flags. Keep --v below 10 and set --profiling=false. Review any webhook configuration that allows redirects or exposes webhook endpoints to wider network paths than necessary. AdmissionWebhookConfiguration should not be treated as a harmless control plane note if it can steer API server traffic.

If the API server is depending on ordinary DNS lookups for webhooks or proxy targets, use a local caching resolver and make the answer stable enough to avoid the race. dnsmasq is the common example here because it can provide a consistent cached answer for the server process without pretending the rest of the cluster has fixed addresses forever.

Reconcile Endpoints permissions after upgrades

After an upgrade, check who can write Endpoints and EndpointSlice. The risky pattern is old RBAC still in place because nothing complained during the upgrade. Scanner output will not catch that by itself. A version check only tells you what release is running, not whether some role can quietly change service backends.

Run RBAC reconciliation against the upgraded cluster, then inspect system:aggregate-to-edit and any custom roles that inherited broader permissions than they should have kept. If the cluster uses RBAC authorisation mode, kubectl auth reconcile gives a way to remove the stale write access rather than hand-editing role objects and hoping nothing re-adds them later.

The result is not perfect certainty, just less nonsense in the scan results. That is usually the best you get with Kubernetes CVE records: version data, runtime behaviour, and access control all have to agree, and one of them is always a bit behind.

Related posts

Agentic AI still needs domain judgement

Agentic AI can write the thing, but it still cannot tell you whether the thing is right. That is where domain expertise matters, because a clean config or neat bit of glue logic can still be wrong in...

Weekly Tech Digest | 06 Jul 2026

Stay updated with the latest in tech! This digest covers AI ethics, auto industry shifts, and the impact of politics on technology, exploring today's pressing issues.

wolfCOSE zero-allocation parsing in embedded C

wolfCOSE looks sensible only if you care about what your firmware actually has to carry. I like that, because on small targets the wrong crypto feature can cost more than the message itself, and there...