Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Attacker needs control of a virt-launcher pod (PR:L, AV:L); symlink redirect crosses the pod-to-host boundary (S:C) causing host file modification (I:L) and potential node disruption (A:H), with no data disclosure (C:N).
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Lifecycle Timeline
6DescriptionNVD
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.
AnalysisAI
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already have access to or control of a virt-launcher pod (PR:L, local vector) and the ability to place a symlink at a path leaf that KubeVirt's safepath helpers will subsequently act on while virt-handler runs a chown/chmod-style operation via /proc/self/fd/N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a genuine but bounded, non-urgent issue rather than a top-priority emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised a workload inside a virt-launcher pod, or a malicious tenant able to run one, plants a symlink at a path leaf that KubeVirt will later operate on. When virt-handler performs an ownership or permission change through the vulnerable safepath helper, the kernel follows the symlink and applies the change to an attacker-chosen host file instead, potentially corrupting host components or affecting node availability. … |
| Remediation | No vendor-released patch version is identified at time of analysis; the available references (Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13201 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2492203) should be monitored for the fixed KubeVirt release, and you should upgrade to it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit RBAC policies and identify all users with KubeVirt virt-launcher pod creation privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi
A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re
KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an
Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap Micro 5.3 | Affected |
| openSUSE Leap Micro 5.4 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| SUSE Linux Micro Extras 6.0 | Affected |
| SUSE Linux Micro Extras 6.1 | Affected |
| SUSE Linux Micro Extras 6.2 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39086
GHSA-rcfc-7m3g-h5xh