CVE-2026-41520 cilium CVE debrief

Who should care

Platform engineering teams operating Cilium-based Kubernetes clusters with WireGuard encryption enabled; security teams responsible for secret rotation and incident response; support engineers who routinely generate and share cilium-bugtool output.

Technical summary

The cilium-bugtool utility in Cilium versions prior to 1.17.15, 1.18.9, and 1.19.3 captures WireGuard private keys in its diagnostic output when WireGuard encryption is enabled. This exposes cluster encryption material to anyone with access to the generated bugtool archive, potentially allowing decryption of cluster network traffic or impersonation of cluster nodes. The issue is resolved in versions 1.17.15, 1.18.9, and 1.19.3.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Cilium to version 1.17.15, 1.18.9, or 1.19.3 or later.
• Audit any previously generated cilium-bugtool archives for potential WireGuard key exposure, particularly those shared externally.
• Rotate WireGuard keys if there is any suspicion that bugtool output containing keys was disclosed.
• Review and restrict access to cilium-bugtool execution to minimize exposure window.
• Validate that automated diagnostic collection pipelines sanitize or exclude sensitive cryptographic material.

Evidence notes

CVE description confirms WireGuard-specific data exposure in cilium-bugtool output. CPE criteria define affected version ranges: all versions below 1.17.15, 1.18.0 through 1.18.8, and 1.19.0 through 1.19.2. CWE-200 (Information Exposure) and CWE-312 (Cleartext Storage of Sensitive Information) are cited by both GitHub Security Advisory and NVD. CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N yields score 7.9, with scope change indicating impact beyond the vulnerable component.

Official resources