Summary
The official cluster-autoscaler container images across all active release branches are built with a version of the Go standard library affected by CVE-2026-25679. The vulnerability was patched in Go 1.25.8 and Go 1.26.1 on 2026-03-06. No cluster-autoscaler release has been cut since those patches were published, leaving all current images vulnerable.
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25679
CVSS Score: 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact: Availability (DoS) — no confidentiality or integrity impact
Fixed in: Go 1.25.8 and Go 1.26.1
Impacted versions: v1.33.x, v1.34.x and v1.35.x
Requested Action
- Rebuild and release patched cluster-autoscaler images compiled with Go >= 1.25.8 or >= 1.26.1 for all active release branches (1.33.x, 1.34.x, 1.35.x).
- Update go.mod on each release branch to go 1.25.8 (or higher) so that the CI build system selects a patched toolchain automatically.
- Publish release notes clearly noting the Go toolchain bump as a security fix for CVE-2026-25679.
Summary
The official cluster-autoscaler container images across all active release branches are built with a version of the Go standard library affected by CVE-2026-25679. The vulnerability was patched in Go 1.25.8 and Go 1.26.1 on 2026-03-06. No cluster-autoscaler release has been cut since those patches were published, leaving all current images vulnerable.
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25679
CVSS Score: 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact: Availability (DoS) — no confidentiality or integrity impact
Fixed in: Go 1.25.8 and Go 1.26.1
Impacted versions: v1.33.x, v1.34.x and v1.35.x
Requested Action