Skip to main content

KubeVirt CVE-2026-13201

| EUVDEUVD-2026-39086 HIGH
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-06-24 secalert@redhat.com GHSA-rcfc-7m3g-h5xh
7.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
7.3 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
vuln.today AI
7.3 HIGH

Attacker needs control of a virt-launcher pod (PR:L, AV:L); symlink redirect crosses the pod-to-host boundary (S:C) causing host file modification (I:L) and potential node disruption (A:H), with no data disclosure (C:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H
SUSE
5.2 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Red Hat
7.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 26, 2026 - 00:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 00:22 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 00:22 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 00:22 NVD
5.2 (MEDIUM) 7.3 (HIGH)
Analysis Generated
Jun 24, 2026 - 21:42 vuln.today

DescriptionNVD

A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.

AnalysisAI

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of virt-launcher pod
Delivery
Plant symlink at target path leaf
Exploit
virt-handler calls safepath helper via /proc/self/fd/N
Execution
Kernel follows symlink defeating no-follow
Impact
Host file ownership/permissions changed on unintended path

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already have access to or control of a virt-launcher pod (PR:L, local vector) and the ability to place a symlink at a path leaf that KubeVirt's safepath helpers will subsequently act on while virt-handler runs a chown/chmod-style operation via /proc/self/fd/N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a genuine but bounded, non-urgent issue rather than a top-priority emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised a workload inside a virt-launcher pod, or a malicious tenant able to run one, plants a symlink at a path leaf that KubeVirt will later operate on. When virt-handler performs an ownership or permission change through the vulnerable safepath helper, the kernel follows the symlink and applies the change to an attacker-chosen host file instead, potentially corrupting host components or affecting node availability. …
Remediation No vendor-released patch version is identified at time of analysis; the available references (Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13201 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2492203) should be monitored for the fixed KubeVirt release, and you should upgrade to it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit RBAC policies and identify all users with KubeVirt virt-launcher pod creation privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1798 MEDIUM POC
6.5 Sep 15

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi

CVE-2020-14316 CRITICAL
9.9 Jul 29

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi

CVE-2023-26484 HIGH
8.2 Mar 15

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re

CVE-2026-13208 MEDIUM
6.5 Jun 24

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an

CVE-2026-13318 MEDIUM
6.4 Jun 26

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev

CVE-2024-33394 MEDIUM
5.9 May 02

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command

CVE-2026-13218 MEDIUM
4.2 Jun 26

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch

CVE-2025-64324 HIGH POC
8.5 Nov 18

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no

CVE-2025-64437 MEDIUM POC
5.0 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av

CVE-2025-64436 MEDIUM POC
6.9 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is

CVE-2025-64435 MEDIUM POC
5.3 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is

CVE-2025-64434 MEDIUM POC
4.7 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-13201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy