Skip to content

Update module github.com/cilium/cilium to v1.18.10 [SECURITY]#586

Merged
AshleyDumaine merged 1 commit into
mainfrom
renovate/go-github.com-cilium-cilium-vulnerability
Jul 7, 2026
Merged

Update module github.com/cilium/cilium to v1.18.10 [SECURITY]#586
AshleyDumaine merged 1 commit into
mainfrom
renovate/go-github.com-cilium-cilium-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/cilium/cilium v1.18.9v1.18.10 age confidence

CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation

CVE-2026-53935 / GHSA-q6h5-q3q6-f87x

More information

Details

Impact

Users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, which enables hijacking traffic to Services in any namespace, bypassing the namespace-scoping guarantees enforced by serviceMatcher.

In addition, deleting such a policy can corrupt Cilium's internal service state, causing service translation to stop working entirely for the affected Service.

Patches

This issue affects:

  • Cilium v1.19.0 to v1.19.3 inclusive (fixed in PR #​45584)
  • Cilium v1.18.2 to v1.18.9 inclusive (fixed in PR #​45585)
  • All versions of Cilium prior to v1.17.16 (fixed in PR #​45412)

This issue has been patched in:

  • Cilium v1.19.4
  • Cilium v1.18.10
  • Cilium v1.17.16
Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​ysksuzuki for investigating and fixing the issue.

For more information

If there are any questions or comments about this advisory, please reach out on Slack.

To report potential vulnerabilities affecting Cilium, it strongly is encouraged to report them through the security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and reports will be treated as a top priority.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.18.10: 1.18.10

Compare Source

Summary of Changes

Bugfixes:

  • Fix cilium-agent crash when a transient network error occurs during CiliumNode update. The agent now retries instead of calling Fatal. (Backport PR #​45753, Upstream PR #​44526, @​nebojsaj1726)
  • Fix CiliumLocalRedirectPolicy addressMatcher overriding an existing Service's frontend when its backend pods are not yet Ready. (Backport PR #​45585, Upstream PR #​45522, @​ysksuzuki)
  • Fix missing global service backends in Cluster Mesh when multiple service ports point to the same target port. (Backport PR #​45354, Upstream PR #​45179, @​RiccardoAtzori91)
  • fix(egressGateway): skip unmatched gateways when using multiple gateway (Backport PR #​45631, Upstream PR #​44705, @​ieth0)
  • fix(ipsec): panic in parseSPI on malformed input (Backport PR #​45498, Upstream PR #​44815, @​isoyuki)

CI Changes:

Misc Changes:

Other Changes:

Docker Manifests

cilium

quay.io/cilium/cilium:v1.18.10@​sha256:dd573bc2f7213dbd978e564a363ecaad060e9578ed557b92b53e42eeeb0f2294

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.18.10@​sha256:59f806137c7b153504d4352254e48a03714e924e797c89a7e6f18c6f9c39f80a

docker-plugin

quay.io/cilium/docker-plugin:v1.18.10@​sha256:5602ac037c5541e1999808f9195913de848b9b1b8b863434b89fd2d5d9c7f27c

hubble-relay

quay.io/cilium/hubble-relay:v1.18.10@​sha256:6f320095640b8e7bb4c1c9efdd0ed46302d0d684c3ea04eb341ca7e0618ef740

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.18.10@​sha256:ed72bbf23849ea772acda3960d060200d7893b41c2228b2805706a608e0e2ee9

operator-aws

quay.io/cilium/operator-aws:v1.18.10@​sha256:9bb1f11266ee9ee85a218206c47bc180a62c168ea295834149c05f54b76a44c1

operator-azure

quay.io/cilium/operator-azure:v1.18.10@​sha256:997ffc723ab7a542e86558721de8167a24e7a45a6c9caba9a74ab3b427620562

operator-generic

quay.io/cilium/operator-generic:v1.18.10@​sha256:ab08d58fd12e98d9a9601d4b52beee839ff2537fba73d262aabad222454a16b3

operator

quay.io/cilium/operator:v1.18.10@​sha256:a62e6af4e3d0a57998ea76c398f6eaba0f0b6502de0cadd7a4153bf81f96102d


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies dependency updates including security fixes label Jul 7, 2026
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.65%. Comparing base (df44e20) to head (6369611).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #586   +/-   ##
=======================================
  Coverage   73.65%   73.65%           
=======================================
  Files          19       19           
  Lines        3029     3029           
=======================================
  Hits         2231     2231           
  Misses        538      538           
  Partials      260      260           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@AshleyDumaine AshleyDumaine merged commit 916513b into main Jul 7, 2026
12 checks passed
@AshleyDumaine AshleyDumaine deleted the renovate/go-github.com-cilium-cilium-vulnerability branch July 7, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies dependency updates including security fixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant