CVE-2026-34992: CWE-311: Missing Encryption of Sensitive Data in antrea-io antrea
CVE-2026-34992 is a vulnerability in antrea-io's Antrea Kubernetes networking solution affecting versions prior to 2. 4. 5 and between 2. 5. 0 and 2. 5. 2. In dual-stack Kubernetes clusters configured with IPsec encryption enabled, IPv6 Pod traffic is not encrypted and is transmitted in plaintext, while IPv4 traffic remains encrypted. This occurs because the IPv6 packets bypass the IPsec encryption layer despite being encapsulated. Single-stack IPv4 or IPv6 clusters are not affected.
AI Analysis
Technical Summary
Antrea is a Kubernetes networking solution that supports dual-stack (IPv4 and IPv6) clusters with IPsec encryption for Pod traffic. Versions prior to 2.4.5 and between 2.5.0 and 2.5.2 have a vulnerability where IPv6 Pod traffic is not encrypted despite IPsec being enabled. The IPv6 packets are encapsulated using Geneve or VXLAN but bypass the IPsec encryption layer, resulting in plaintext transmission of IPv6 Pod traffic. IPv4 traffic remains properly encrypted using ESP. This issue affects only dual-stack clusters with IPsec encryption enabled and does not impact single-stack IPv4 or IPv6 clusters. The vulnerability is tracked as CWE-311 (Missing Encryption of Sensitive Data). Fixed versions are 2.4.5 and 2.5.2.
Potential Impact
The vulnerability allows IPv6 Pod traffic in dual-stack Kubernetes clusters with IPsec encryption enabled to be transmitted without encryption, exposing sensitive inter-Node Pod communication to potential interception or eavesdropping. IPv4 traffic remains protected. This compromises confidentiality of IPv6 Pod traffic in affected environments. Single-stack clusters and clusters without IPsec encryption are not impacted.
Mitigation Recommendations
Users should upgrade Antrea to version 2.4.5 or later, or 2.5.2 or later, where this vulnerability is fixed. Since the vulnerability specifically affects dual-stack clusters with IPsec encryption enabled, verifying cluster configuration and applying the fixed versions will remediate the issue. Patch status is not explicitly stated beyond fixed versions; therefore, users should consult the vendor advisory for the latest remediation guidance.
CVE-2026-34992: CWE-311: Missing Encryption of Sensitive Data in antrea-io antrea
Description
CVE-2026-34992 is a vulnerability in antrea-io's Antrea Kubernetes networking solution affecting versions prior to 2. 4. 5 and between 2. 5. 0 and 2. 5. 2. In dual-stack Kubernetes clusters configured with IPsec encryption enabled, IPv6 Pod traffic is not encrypted and is transmitted in plaintext, while IPv4 traffic remains encrypted. This occurs because the IPv6 packets bypass the IPsec encryption layer despite being encapsulated. Single-stack IPv4 or IPv6 clusters are not affected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Antrea is a Kubernetes networking solution that supports dual-stack (IPv4 and IPv6) clusters with IPsec encryption for Pod traffic. Versions prior to 2.4.5 and between 2.5.0 and 2.5.2 have a vulnerability where IPv6 Pod traffic is not encrypted despite IPsec being enabled. The IPv6 packets are encapsulated using Geneve or VXLAN but bypass the IPsec encryption layer, resulting in plaintext transmission of IPv6 Pod traffic. IPv4 traffic remains properly encrypted using ESP. This issue affects only dual-stack clusters with IPsec encryption enabled and does not impact single-stack IPv4 or IPv6 clusters. The vulnerability is tracked as CWE-311 (Missing Encryption of Sensitive Data). Fixed versions are 2.4.5 and 2.5.2.
Potential Impact
The vulnerability allows IPv6 Pod traffic in dual-stack Kubernetes clusters with IPsec encryption enabled to be transmitted without encryption, exposing sensitive inter-Node Pod communication to potential interception or eavesdropping. IPv4 traffic remains protected. This compromises confidentiality of IPv6 Pod traffic in affected environments. Single-stack clusters and clusters without IPsec encryption are not impacted.
Mitigation Recommendations
Users should upgrade Antrea to version 2.4.5 or later, or 2.5.2 or later, where this vulnerability is fixed. Since the vulnerability specifically affects dual-stack clusters with IPsec encryption enabled, verifying cluster configuration and applying the fixed versions will remediate the issue. Patch status is not explicitly stated beyond fixed versions; therefore, users should consult the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.618Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d4982faaed68159ac9fe11
Added to database: 4/7/2026, 5:37:51 AM
Last enriched: 4/14/2026, 4:10:17 PM
Last updated: 5/23/2026, 11:00:42 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.