CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver
摘要
The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System.
正文
Bulletin ID: 2026-016-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/17 11:15 AM PDT Description: The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. We identified CVE-2026-6437, where an actor with PersistentVolume creation privileges can inject arbitrary mount options via two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute. In both cases, appending comma-separated values causes the mount utility to parse them as separate mount options. No AWS service is affected. Impacted versions: EFS CSI Driver <&equal; v3.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
标签
- bulletin:2026-016-aws
- severity:important-requires-attention
- vendor:aws
扩展字段
{
"author": "[email protected]",
"bulletin_id": "2026-016-AWS",
"content_type": "Important (requires attention)",
"details": {
"Bulletin ID": "2026-016-AWS",
"Content Type": "Important (requires attention)",
"Impacted versions": "EFS CSI Driver <&equal; v3.0.0",
"Publication Date": "2026/04/17 11:15 AM PDT",
"Scope": "AWS"
},
"publication_detail": "2026/04/17 11:15 AM PDT",
"scope": "AWS"
}