Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations. | |
| Title | Helm Files.Lines Denial of Service via Empty Chart Files | |
| First Time appeared |
Helm
Helm helm |
|
| Weaknesses | CWE-129 | |
| CPEs | cpe:2.3:a:helm:helm:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Helm
Helm helm |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-17T17:25:42.234Z
Reserved: 2026-07-16T12:13:18.733Z
Link: CVE-2026-63308
Updated: 2026-07-17T17:25:39.025Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T17:45:04Z