{"id":"CVE-2025-32793","summary":"Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters","details":"Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a terminating endpoint can leave the source node without encryption due to a race condition in how traffic is processed by Cilium. This issue has been patched in versions 1.15.16, 1.16.9, and 1.17.3. There are no workarounds available for this issue.","aliases":["BIT-cilium-2025-32793","BIT-cilium-operator-2025-32793","BIT-hubble-relay-2025-32793","GHSA-5vxx-c285-pcq4","GO-2025-3635"],"modified":"2026-04-10T05:25:14.482983Z","published":"2025-04-21T15:34:14.315Z","related":["CGA-34g5-vr79-8947","openSUSE-SU-2025:15017-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32793.json","cwe_ids":["CWE-319"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32793.json"},{"type":"ADVISORY","url":"https://github.com/cilium/cilium/security/advisories/GHSA-5vxx-c285-pcq4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32793"},{"type":"FIX","url":"https://github.com/cilium/cilium/pull/38592"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cilium/cilium","events":[{"introduced":"c9723a8df3cfa336da1f8457a864105d8349acfe"},{"fixed":"a0ee30f5ee96eaf4766453e0cae7759a6965b90d"}],"database_specific":{"versions":[{"introduced":"v1.13.0"},{"fixed":"v1.15.16"}]}},{"type":"GIT","repo":"https://github.com/cilium/cilium","events":[{"introduced":"82999990bc954699cf24853ef9747d9166ee24c8"},{"fixed":"bf7387b2b6aed80d9c8e4c04f8fc7dd6040ed93d"}],"database_specific":{"versions":[{"introduced":"v1.16.0"},{"fixed":"v1.16.9"}]}},{"type":"GIT","repo":"https://github.com/cilium/cilium","events":[{"introduced":"c2bbf787eab9b7f728fcc861904d9bcf17e4ba9b"},{"fixed":"3993bd066abcf2d493f38cbeeb104174b7ef1ed0"}],"database_specific":{"versions":[{"introduced":"v1.17.0"},{"fixed":"v1.17.3"}]}}],"versions":["1.16.0","1.16.1","1.16.2","1.16.3","1.16.4","1.16.5","1.16.6","1.16.7","1.16.8","1.17.0","1.17.1","1.17.2","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.16.5","v1.16.6","v1.16.7","v1.16.8","v1.17.0","v1.17.1","v1.17.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32793.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}