CVE-2025-23028: 
Cilium vulnerability analysis and mitigation

A denial of service vulnerability (CVE-2025-23028) was discovered in Cilium, a networking, observability, and security solution with an eBPF-based dataplane. The vulnerability affects versions 1.14.0 through 1.14.7, 1.15.0 through 1.15.11, and 1.16.0 through 1.16.4. The issue was discovered in January 2025 and has been fixed in versions v1.14.18, v1.15.12, and v1.16.5 (GitHub Advisory, NVD).

In Kubernetes clusters where Cilium is configured to proxy DNS traffic, the vulnerability allows an attacker to crash Cilium agents by sending crafted DNS responses to workloads from outside the cluster. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating it requires no privileges or user interaction to exploit (GitHub Advisory).

When exploited, the vulnerability affects traffic handling in multiple ways. For traffic allowed without DNS-based policy, the dataplane continues to pass traffic as configured at the time of the DoS. For workloads with DNS-based policy configured, while existing connections may continue to operate and new connections not relying on DNS resolution can be established, new connections requiring DNS resolution may be disrupted. Additionally, any configuration changes affecting the impacted agent cannot be applied until the agent restarts (GitHub Advisory).

No known workarounds are available for this vulnerability. The only recommended mitigation is to upgrade to the patched versions: Cilium v1.14.18, v1.15.12, or v1.16.5 (GitHub Advisory).

The Cilium community worked collaboratively with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare the mitigations. Special acknowledgment was given to kokelley-cisco for reporting the issue and bimmlerd for developing the fix (GitHub Advisory).