4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32793

CVE-2025-32793: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Impact

When using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium.

Patches

This issue has been patched in https://github.com/cilium/cilium/pull/38592.

This issue affects:

Cilium v1.15 between v1.15.0 and v1.15.15 inclusive
Cilium v1.16 between v1.16.0 and v1.16.8 inclusive
Cilium v1.17 between v1.17.0 and v1.17.2 inclusive

This issue is fixed in:

Cilium v1.15.16
Cilium v1.16.9
Cilium v1.17.3

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @gandro and @pippolo84 for reporting this issue and to @julianwiedmann for the patch.

For more information

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32793

CVE-2025-32793:

4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cilium/cilium	go	>= 1.13.0, < 1.15.16	1.15.16
github.com/cilium/cilium	go	>= 1.16.0, < 1.16.9	1.16.9
github.com/cilium/cilium	go	>= 1.17.0, < 1.17.3	1.17.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description and commit message indicate a race condition where packets from terminating endpoints might not be encrypted. The patch (commit 0de9ea6ec94ceb16b7c16924f048a83e7332dbc2) modifies wg_maybe_redirect_to_encrypt in bpf/lib/wireguard.h and its caller in bpf/bpf_host.c. The core issue was that wg_maybe_redirect_to_encrypt previously performed an ipcache lookup for the source security identity. This lookup could fail or return an incorrect identity for a terminating endpoint due to the race condition, leading to encryption being skipped. The patch changes wg_maybe_redirect_to_encrypt to accept the source security identity (obtained earlier and more reliably from skb->mark via cil_to_netdev) as a parameter, thus avoiding the racy ipcache lookup within the function itself for determining the source identity. Therefore, the pre-patch version of wg_maybe_redirect_to_encrypt is identified as the vulnerable function because its logic for determining the source security identity was flawed under race conditions for terminating pods, leading to incorrect encryption decisions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32793: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Impact

Patches

Workarounds

Acknowledgements

For more information

CVE-2025-32793:

4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-32793: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters

Impact

Patches

Workarounds

Acknowledgements

For more information

4

4

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI