[AUTO-CHERRYPICK] [AutoPR- Security] Patch flannel for CVE-2026-32241 [HIGH] - branch 3.0-dev (#16371)

Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/flannel/CVE-2026-32241.patch

@@ -0,0 +1,126 @@
+From bc1e702975a42ffeaba702ea8e59f111557d0d13 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 30 Mar 2026 10:06:28 +0000
+Subject: [PATCH] Don't use shell invocations in extensions backend. Avoid
+ potential command injection by invoking commands directly and expanding env
+ var references without a shell. Also split configured command strings using
+ strings.Fields and pass env vars explicitly.
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/flannel-io/flannel/commit/08bc9a4c990ae785d2fcb448f4991b58485cd26a.patch
+---
+ pkg/backend/extension/extension.go         | 35 ++++++++++++++++++++--
+ pkg/backend/extension/extension_network.go |  7 +++--
+ 2 files changed, 38 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/backend/extension/extension.go b/pkg/backend/extension/extension.go
+index 111a04b..118a313 100644
+--- a/pkg/backend/extension/extension.go
++++ b/pkg/backend/extension/extension.go
+@@ -81,7 +81,8 @@ func (be *ExtensionBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr
+ 
+ 	data := []byte{}
+ 	if len(n.preStartupCommand) > 0 {
+-		cmd_output, err := runCmd([]string{}, "", "sh", "-c", n.preStartupCommand)
++		preArgs := strings.Fields(n.preStartupCommand)
++		cmd_output, err := runCmd([]string{}, "", preArgs[0], preArgs[1:]...)
+ 		if err != nil {
+ 			return nil, fmt.Errorf("failed to run command: %s Err: %v Output: %s", n.preStartupCommand, err, cmd_output)
+ 		} else {
+@@ -122,13 +123,14 @@ func (be *ExtensionBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr
+ 	}
+ 
+ 	if len(n.postStartupCommand) > 0 {
++		postArgs := strings.Fields(n.postStartupCommand)
+ 		cmd_output, err := runCmd([]string{
+ 			fmt.Sprintf("NETWORK=%s", config.Network),
+ 			fmt.Sprintf("SUBNET=%s", lease.Subnet),
+ 			fmt.Sprintf("IPV6SUBNET=%s", lease.IPv6Subnet),
+ 			fmt.Sprintf("PUBLIC_IP=%s", attrs.PublicIP),
+ 			fmt.Sprintf("PUBLIC_IPV6=%s", attrs.PublicIPv6)},
+-			"", "sh", "-c", n.postStartupCommand)
++			"", postArgs[0], postArgs[1:]...)
+ 		if err != nil {
+ 			return nil, fmt.Errorf("failed to run command: %s Err: %v Output: %s", n.postStartupCommand, err, cmd_output)
+ 		} else {
+@@ -141,8 +143,37 @@ func (be *ExtensionBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr
+ 	return n, nil
+ }
+ 
++// buildEnvMap merges os.Environ() with the provided env slice into a lookup map.
++func buildEnvMap(env []string) map[string]string {
++	m := make(map[string]string)
++	for _, e := range os.Environ() {
++		k, v, _ := strings.Cut(e, "=")
++		m[k] = v
++	}
++	for _, e := range env {
++		k, v, _ := strings.Cut(e, "=")
++		m[k] = v
++	}
++	return m
++}
++
++// expandVars expands $VAR / ${VAR} references in each string using the provided map.
++// Because exec.Command is used (no shell), the expanded values are passed as literal
++// arguments — shell metacharacters in variable values cannot cause injection.
++func expandVars(envMap map[string]string, args []string) []string {
++	expanded := make([]string, len(args))
++	for i, a := range args {
++		expanded[i] = os.Expand(a, func(key string) string { return envMap[key] })
++	}
++	return expanded
++}
++
+ // Run a cmd, returning a combined stdout and stderr.
+ func runCmd(env []string, stdin string, name string, arg ...string) (string, error) {
++	envMap := buildEnvMap(env)
++	expanded := expandVars(envMap, append([]string{name}, arg...))
++	name, arg = expanded[0], expanded[1:]
++
+ 	cmd := exec.Command(name, arg...)
+ 	cmd.Env = append(os.Environ(), env...)
+ 
+diff --git a/pkg/backend/extension/extension_network.go b/pkg/backend/extension/extension_network.go
+index 009712f..6f561a9 100644
+--- a/pkg/backend/extension/extension_network.go
++++ b/pkg/backend/extension/extension_network.go
+@@ -21,6 +21,7 @@ import (
+ 	"golang.org/x/net/context"
+ 
+ 	"fmt"
++	"strings"
+ 
+ 	"github.com/flannel-io/flannel/pkg/backend"
+ 	"github.com/flannel-io/flannel/pkg/lease"
+@@ -90,11 +91,12 @@ func (n *network) handleSubnetEvents(batch []lease.Event) {
+ 					}
+ 				}
+ 
++				addArgs := strings.Fields(n.subnetAddCommand)
+ 				cmd_output, err := runCmd([]string{
+ 					fmt.Sprintf("SUBNET=%s", evt.Lease.Subnet),
+ 					fmt.Sprintf("PUBLIC_IP=%s", evt.Lease.Attrs.PublicIP)},
+ 					backendData,
+-					"sh", "-c", n.subnetAddCommand)
++					addArgs[0], addArgs[1:]...)
+ 
+ 				if err != nil {
+ 					log.Errorf("failed to run command: %s Err: %v Output: %s", n.subnetAddCommand, err, cmd_output)
+@@ -120,11 +122,12 @@ func (n *network) handleSubnetEvents(batch []lease.Event) {
+ 						continue
+ 					}
+ 				}
++				removeArgs := strings.Fields(n.subnetRemoveCommand)
+ 				cmd_output, err := runCmd([]string{
+ 					fmt.Sprintf("SUBNET=%s", evt.Lease.Subnet),
+ 					fmt.Sprintf("PUBLIC_IP=%s", evt.Lease.Attrs.PublicIP)},
+ 					backendData,
+-					"sh", "-c", n.subnetRemoveCommand)
++					removeArgs[0], removeArgs[1:]...)
+ 
+ 				if err != nil {
+ 					log.Errorf("failed to run command: %s Err: %v Output: %s", n.subnetRemoveCommand, err, cmd_output)
+-- 
+2.45.4
+

SPECS/flannel/flannel.spec

@@ -3,7 +3,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.24.2
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,6 +17,7 @@ Patch2:         CVE-2023-45288.patch
 Patch3:         CVE-2025-30204.patch
 Patch4:         CVE-2024-51744.patch
 Patch5:         CVE-2025-65637.patch
+Patch6:         CVE-2026-32241.patch
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
 BuildRequires:  glibc-static >= 2.38-19%{?dist}
@@ -53,9 +54,10 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 
 %changelog
-* Wed Mar 25 2026 Aditya Singh <v-aditysing@microsoft.com> - 0.24.2-25
+* Mon Mar 30 2026 Aditya Singh <v-aditysing@microsoft.com> - 0.24.2-26
 - Bump to rebuild with updated glibc
-
+* Mon Mar 30 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.24.2-25
+- Patch for CVE-2026-32241
 * Thu Jan 22 2026 Kanishk Bansal <kanbansal@microsoft.com> - 0.24.2-24
 - Bump to rebuild with updated glibc