CVE-2024-26147

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.14.2

Description The issue is related to an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. This can cause a panic in Helm when either an index.yaml file or a plugin's plugin.yaml file is missing all metadata. The vulnerability is found in the Helm SDK when using the LoadIndexFile or DownloadIndexFile functions in the repo package or the LoadDir function in the plugin package. For the Helm client, this impacts functions around adding a repository and all Helm functions if a malicious plugin is added.

Recommendations If using Helm versions prior to 3.14.2, update to Helm v3.14.2 to resolve the issue. If a malicious plugin has been added and is causing all Helm client commands to panic, manually remove the malicious plugin from the filesystem. For Helm SDK versions prior to 3.14.2, calls to affected functions can use recover to catch the panic.

Exploit

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908CWE-457

Related Identifiers

ALT-PU-2024-7321

ALT-PU-2024-8552

ALT-PU-2025-10258

ALT-PU-2025-1444

AZL-34454

AZL-34584

AZL-38497

BDU:2024-02609

BIT-HELM-2024-26147

CVE-2024-26147

GHSA-R53H-JV2G-VPX6

GO-2024-2575

OPENSUSE-SU-2024:13708-1

OPENSUSE-SU-2024:13778-1

OPENSUSE-SU-2024:13918-1

OPENSUSE-SU-2024_1137-1

OPENSUSE-SU-2025:15779-1

SUSE-RU-2024:4213-1

SUSE-SU-2024:1137-1

SUSE-SU-2025:20196-1

SUSE-SU-2025:20278-1

Affected Products

Alt Linux

Helm

Suse

CVE-2024-26147

Weakness Enumeration

Related Identifiers

Affected Products

References · 58