Multiple CVEs in k8s-dns-node-cache:1.26.7 (libssl3, k8s.io/kubernetes, quic-go) #754
Description
Summary
The latest k8s-dns-node-cache image tag (1.26.7) contains the following unpatched CVEs detected by Grype scan:
| CVE ID | Package | Current Version | Fixed In | Severity |
|---|---|---|---|---|
| CVE-2025-15467 | libssl3 | 3.0.17-1~deb12u3 | 3.0.18-1~deb12u2 | Critical (CVSS 9.8) |
| CVE-2025-13281 | k8s.io/kubernetes | v1.34.1 | 1.34.2 | Medium |
| CVE-2025-64702 | github.com/quic-go/quic-go | v0.55.0 | 0.57.0 | Medium |
Impact
These CVEs are detected by Grype scans of the published registry.k8s.io/dns/k8s-dns-node-cache:1.26.7 image. Downstream consumers who pin to this tag cannot remediate without an upstream rebuild or new release.
Request
Could the k8s-dns-node-cache image be rebuilt with updated dependencies, or a new patch release be published that addresses these vulnerabilities? Specifically:
- Rebuild the Debian base layer to pick up
libssl3 >= 3.0.18-1~deb12u2 - Update
k8s.io/kubernetesto>= 1.34.2 - Update
github.com/quic-go/quic-goto>= 0.57.0