Back to overview

CVE-2026-63308

MEDIUM Exploitation: PoC
4.3
CVSS 3.1
Description
Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.

Metadata

CVE ID
CVE-2026-63308
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-16 12:13 UTC
Published
2026-07-17 16:14 UTC
Last updated
2026-07-17 17:25 UTC
Primary CWE
CWE-129
Improper Validation of Array Index
Vendor / Product
helm / helm
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
helm helm 0 ≤ 4.2.3, ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017
Weakness (CWE)
CWESourceDescription
CWE-129 cna Improper Validation of Array Index
CVSS scores (2)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Back to overview