The Azure Linux Kubernetes ingress controller is the front door for application traffic entering Azure-hosted environments — a successful exploit could give an attacker direct code execution on infrastructure routing production traffic, enabling data access, service disruption, or lateral movement into internal systems. Organizations running customer-facing applications through this component face potential service outages, unauthorized data access, and breach notification obligations if exploitation occurs before patching. The CVSS score of 9.8 reflects worst-case unauthenticated remote exploitation; while observed exploitation rates are currently low, the public disclosure of a critical RCE in a widely deployed cloud ingress component makes this a high-priority patching event before that changes.
You Are Affected If
You run application-gateway-kubernetes-ingress version 1.7.7-3 on Azure Linux 3.0 in production
Your AKS ingress controller is reachable from untrusted networks (internet-facing or accessible by external partners) without a validated WAF policy blocking malformed input
Your Go application or service imports golang.org/x/sys/windows and passes user-controlled string input to NewNTUnicodeString on a Windows-based workload
You have not yet applied the patched package version from the Microsoft Azure Linux 3.0 repository following the May 2026 Patch Tuesday advisory
Your software composition analysis pipeline does not currently track golang.org/x/sys/windows as a monitored dependency in your Go application builds
Board Talking Points
A critical security flaw rated 9.8 out of 10 was disclosed in the component that routes all incoming traffic to our Azure-hosted Kubernetes applications, and it can be exploited remotely without authentication.
The security team is patching affected systems immediately using the vendor-supplied fix from Microsoft's May 2026 update cycle — full remediation is targeted within 24-48 hours of this advisory.
If this is not patched before active exploitation begins, an attacker could execute code directly on our application infrastructure, potentially accessing sensitive data or taking services offline.
