Fixing CVE-2026-35469: Mitigating spdystream Vulnerabilities in Kubernetes
What's the problem?
Secure your Kubernetes API Server against CVE-2026-35469. Learn how to patch the spdystream dependency to prevent DoS attacks and memory leaks in your cluster.
Why does this happen?
The vulnerability stems from improper stream lifecycle management in spdystream v0.5.0, where malformed control frames trigger null pointer dereferences or resource leaks. This allows attackers to crash the API Server or exhaust system resources via kubectl exec, attach, or port-forward commands.
Code Example
# Update your go.mod file to force the patched version:
$ go get github.com/moby/spdystream@v0.5.1
$ go mod tidy
# Verify the update in go.mod:
require (
github.com/moby/spdystream v0.5.1 // indirect
)How to fix it
To remediate this vulnerability, you must update the spdystream dependency to version v0.5.1 or later within your Kubernetes source or custom controller modules. 1. Navigate to your project root. 2. Run 'go get github.com/moby/spdystream@v0.5.1'. 3. Update your 'go.sum' file to reflect the new dependency checksums. 4. Rebuild your binary and perform a rolling restart of your API Server instances to apply the hardened stream-handling logic.