The vulnerability identified as CVE-2026-3864 affects the Kubernetes Container Storage Interface (CSI) Driver for NFS. Specifically, the issue stems from improper validation of the subDir parameter within volume identifiers. This parameter is intended to specify subdirectories within an NFS export for volume mounting. However, due to insufficient sanitization, an attacker capable of creating PersistentVolumes referencing the NFS CSI driver can include path traversal sequences such as '../' in the subDir value. During volume deletion or cleanup operations, the driver uses this parameter to determine which directories to remove or modify on the NFS server. Because of the path traversal, the driver might operate on directories outside the intended managed path, potentially deleting or altering critical data or system directories on the NFS export server. The vulnerability requires the attacker to have the ability to create PersistentVolumes, which implies a high privilege level within the Kubernetes cluster. No user interaction is needed for exploitation, and the vulnerability affects all versions of the CSI Driver for NFS as indicated. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and impacts on integrity and availability but not confidentiality. No patches are currently linked, and no known exploits have been reported in the wild. This vulnerability falls under CWE-22 (Path Traversal), a common issue where insufficient input validation allows attackers to access or modify files and directories outside the intended scope.

The primary impact of CVE-2026-3864 is on the integrity and availability of data stored on NFS servers used by Kubernetes clusters. An attacker with the ability to create PersistentVolumes can exploit this vulnerability to delete or modify directories outside the designated volume paths, potentially leading to data loss or corruption on the NFS server. This could disrupt applications relying on persistent storage, cause downtime, and require costly recovery efforts. Since the vulnerability requires high privileges within the cluster, it is particularly dangerous in multi-tenant or shared Kubernetes environments where attackers may gain elevated access. The scope of affected systems includes any Kubernetes deployment using the CSI Driver for NFS, which is common in enterprises leveraging NFS for persistent storage. The lack of user interaction and network-based attack vector increases the risk of automated or remote exploitation once an attacker has cluster privileges. Although no known exploits exist yet, the vulnerability's nature and impact make it a significant concern for organizations relying on Kubernetes for critical workloads.

To mitigate CVE-2026-3864, organizations should implement the following specific measures: 1) Restrict the ability to create PersistentVolumes to trusted administrators only, minimizing the risk of malicious volume definitions. 2) Monitor and audit PersistentVolume creation requests for suspicious subDir parameters containing path traversal sequences such as '../'. 3) Apply strict input validation and sanitization on the subDir parameter within the Kubernetes cluster or through admission controllers to reject unsafe volume identifiers before they reach the CSI driver. 4) Isolate NFS exports used by Kubernetes to dedicated directories with minimal permissions to limit potential damage from unauthorized deletions. 5) Regularly back up NFS server data to enable recovery from accidental or malicious deletions. 6) Stay informed about official patches or updates from the Kubernetes project and apply them promptly once available. 7) Consider deploying runtime security tools that can detect and prevent unauthorized filesystem operations initiated by the CSI driver. 8) Review and harden Kubernetes RBAC policies to prevent privilege escalation that could enable exploitation. These targeted actions go beyond generic advice by focusing on controlling volume creation, input validation, and limiting filesystem exposure.