Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Multiple security vulnerabilities affect the kubernetes-dns-node-cache package. These issues are resolved in later releases. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "kubernetes-dns-node-cache"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.7-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the kubernetes-dns-node-cache package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-MU54962",
"modified": "2026-04-01T11:32:34Z",
"published": "2026-04-06T02:54:48.662994Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-MU54962.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-527x-5wrf-22m2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-g754-hx8w-x2g6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jgfp-53c3-624w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-px8v-pp82-rcvr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vv39-3w5q-974q"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for ghsa-527x-5wrf-22m2, ghsa-g754-hx8w-x2g6, ghsa-jgfp-53c3-624w, ghsa-px8v-pp82-rcvr, ghsa-vv39-3w5q-974q applied in versions: 1.25.0-r0, 1.26.7-r0",
"upstream": [
"ghsa-527x-5wrf-22m2",
"ghsa-g754-hx8w-x2g6",
"ghsa-jgfp-53c3-624w",
"ghsa-px8v-pp82-rcvr",
"ghsa-vv39-3w5q-974q"
]
}
GHSA-VV39-3W5Q-974Q
Vulnerability from github – Published: 2025-03-13 18:32 – Updated: 2025-03-13 21:24A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.30.0-alpha.0"
},
{
"fixed": "1.30.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.31.0-alpha.0"
},
{
"fixed": "1.31.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0-alpha.0"
},
{
"fixed": "1.32.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9042"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T21:24:12Z",
"nvd_published_at": "2025-03-13T17:15:34Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node\u0027s \u0027/logs\u0027 endpoint to execute arbitrary commands on the host. This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.",
"id": "GHSA-vv39-3w5q-974q",
"modified": "2025-03-13T21:24:13Z",
"published": "2025-03-13T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9042"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/129654"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/45f4ccc2153bbb782253704cbe24c05e22b5d60c"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/5fe148234f8ab1184f26069c4f7bef6c37efe347"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/75c83a6871dc030675288c6d63c275a43c2f0d55"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/fb0187c2bf7061258bb89891edb1237261eb7abc"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/9C3vn6aCSVg"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/01/16/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API"
}
GHSA-PX8V-PP82-RCVR
Vulnerability from github – Published: 2024-12-02 17:28 – Updated: 2024-12-04 22:16Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.
By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).
As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).
Patches
The fix is easy: Use IP_PMTUDISC_PROBE instead of IP_PMTUDISC_DO. This socket option only sets the DF bit, but disables the kernel's MTU tracking.
Has the problem been patched? What versions should users upgrade to?
Fixed in https://github.com/quic-go/quic-go/pull/4729 Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Use iptables to drop ICMP Unreachable packets.
References
Are there any links users can visit to find out more?
This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/quic-go/quic-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.48.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53259"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T17:28:14Z",
"nvd_published_at": "2024-12-02T17:15:12Z",
"severity": "MODERATE"
},
"details": "### Impact\nAn off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a \"message too large\" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.\n\nBy setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they\u0027re unable to establish a QUIC connection).\n\nAs far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client\u0027s IP and port tuple to mount an attack (assuming that it knows the server\u0027s IP and port).\n\n### Patches\n\nThe fix is easy: Use `IP_PMTUDISC_PROBE` instead of `IP_PMTUDISC_DO`. This socket option only sets the DF bit, but disables the kernel\u0027s MTU tracking.\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in https://github.com/quic-go/quic-go/pull/4729\nReleased in https://github.com/quic-go/quic-go/releases/tag/v0.48.2\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nUse iptables to drop ICMP Unreachable packets.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\nThis bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/\n",
"id": "GHSA-px8v-pp82-rcvr",
"modified": "2024-12-04T22:16:38Z",
"published": "2024-12-02T17:28:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53259"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/pull/4729"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50"
},
{
"type": "PACKAGE",
"url": "https://github.com/quic-go/quic-go"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/releases/tag/v0.48.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "quic-go affected by an ICMP Packet Too Large Injection Attack on Linux"
}
GHSA-527X-5WRF-22M2
Vulnerability from github – Published: 2026-01-08 20:12 – Updated: 2026-01-08 20:12Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.
Impact
1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)
The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:
- Open many parallel connections
- Rapidly issue requests without limit
- Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer
Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.
2. Missing message-size validation in the gRPC server
The gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.
This vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.
Result:
In all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.
Patches
v1.14.0
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coredns/coredns"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68151"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T20:12:58Z",
"nvd_published_at": "2026-01-08T16:15:59Z",
"severity": "MODERATE"
},
"details": "Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.\n\n### Impact\n\n#### 1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)\n\nThe affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:\n\n- Open many parallel connections\n- Rapidly issue requests without limit\n- Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer\n\nTesting demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.\n\n#### 2. Missing message-size validation in the gRPC server\n\nThe gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.\n\nThis vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.\n\n#### Result:\nIn all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.\n\n\n### Patches\n_v1.14.0_",
"id": "GHSA-527x-5wrf-22m2",
"modified": "2026-01-08T20:12:58Z",
"published": "2026-01-08T20:12:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68151"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/pull/7490"
},
{
"type": "WEB",
"url": "https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812"
},
{
"type": "PACKAGE",
"url": "https://github.com/coredns/coredns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages"
}
GHSA-JGFP-53C3-624W
Vulnerability from github – Published: 2025-02-13 18:32 – Updated: 2025-12-20 03:12A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node's disk.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0"
},
{
"fixed": "1.32.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.31.0"
},
{
"fixed": "1.31.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.30.0"
},
{
"fixed": "1.30.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-0426"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-13T20:55:29Z",
"nvd_published_at": "2025-02-13T16:16:48Z",
"severity": "MODERATE"
},
"details": "A security issue was discovered in Kubernetes where a large number of container checkpoint requests made to the unauthenticated kubelet read-only HTTP endpoint may cause a Node Denial of Service by filling the Node\u0027s disk.",
"id": "GHSA-jgfp-53c3-624w",
"modified": "2025-12-20T03:12:03Z",
"published": "2025-02-13T18:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0426"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/130016"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jgfp-53c3-624w"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/KiODfu8i6w8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/13/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Node Denial of Service via kubelet Checkpoint API"
}
GHSA-G754-HX8W-X2G6
Vulnerability from github – Published: 2025-12-11 16:48 – Updated: 2025-12-17 00:36Summary
An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.
Impact
A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.
Details
In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).
http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.
RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.
The Fix
quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/quic-go/quic-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.57.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64702"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-11T16:48:27Z",
"nvd_published_at": "2025-12-11T21:15:54Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAn attacker can cause excessive memory allocation in quic-go\u0027s HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.\n\n## Impact\n\nA misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go\u0027s HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.\n\n## Details\n\nIn HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go\u0027s HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).\n\n`http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.\n\nRFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.\n\n## The Fix\n\nquic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).",
"id": "GHSA-g754-hx8w-x2g6",
"modified": "2025-12-17T00:36:27Z",
"published": "2025-12-11T16:48:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64702"
},
{
"type": "WEB",
"url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8"
},
{
"type": "PACKAGE",
"url": "https://github.com/quic-go/quic-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "quic-go HTTP/3 QPACK Header Expansion DoS"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.