CVE-2026-63308
Helm Files.Lines Denial of Service via Empty Chart Files
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.
| CWE | CWE-129 |
| Vendor | helm |
| Product | helm |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for helm helm
Be the first to know when new medium vulnerabilities affecting helm helm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
helm / helm
0 โค 4.2.3
References
github.com: https://github.com/helm/helm/issues/32279 github.com: https://github.com/helm/helm/pull/32290 github.com: https://github.com/helm/helm/commit/ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017 vulncheck.com: https://www.vulncheck.com/advisories/chat2db-insecure-direct-object-reference-via-get-api-connection-datasource
Credits
George Chen