Fixing CVE-2026-35469: Mitigating spdystream DoS in Kubernetes

#Kubernetes #CVE-2026-35469 #spdystream #Security #Denial of Service #API Server

What's the problem?

Resolve CVE-2026-35469 by upgrading spdystream to v0.5.1. Secure your Kubernetes control plane against DoS attacks targeting SPDY stream multiplexing logic.

Why does this happen?

The vulnerability stems from improper validation of SPDY control frames in spdystream v0.5.0, allowing attackers to trigger resource exhaustion or 'zombie' streams. This flaw permits malicious clients to destabilize the API server by bypassing state machine constraints during bidirectional communication.

Code Example

# Update your go.mod file to resolve the vulnerability
$ go get github.com/moby/spdystream@v0.5.1
$ go mod tidy

# After building, perform a rolling restart of the API server
$ kubectl rollout restart deployment kube-apiserver -n kube-system

How to fix it

To remediate this security risk, you must update the dependency and redeploy your affected components. First, update the module version in your go.mod file to v0.5.1. Run 'go mod tidy' to update the checksums, then perform a clean build of your Kubernetes API server and relevant controllers. Finally, perform a rolling restart of your control plane pods to ensure all active connections are terminated and refreshed using the patched library.