Skip to main content

KubeVirt CVE-2026-13208

| EUVDEUVD-2026-39087 MEDIUM
Improper Authentication (CWE-287)
2026-06-24 secalert@redhat.com GHSA-72r2-m3hg-cvf5
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

AV:L because exploitation requires process execution on the node; PR:L because a compromised virt-launcher (low-privilege process) is needed; S:C and A:H because forged events disrupt VMIs outside the attacker's own workload.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 21:42 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.

AnalysisAI

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise virt-launcher pod via workload vulnerability
Delivery
Identify target VMI namespace/name on same node
Exploit
Craft forged gRPC HandleDomainEvent message with victim VMI identity
Install
Submit forged event to virt-handler domain notify server via pipe socket
C2
virt-handler accepts event without origin validation
Execute
Target VMI lifecycle state corrupted
Impact
VMI availability disrupted

Vulnerability AssessmentAI

Exploitation Exploitation requires prior code execution within a virt-launcher pod on the same Kubernetes node as the target VMI - the attacker must first compromise one virt-launcher process (e.g., through a guest-visible vulnerability, container escape, or supply-chain compromise of the virt-launcher image). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) scores at 6.5 Medium, but the changed-scope designation (S:C) and A:H signal meaningful blast radius: a single compromised virt-launcher can disrupt every VMI on the same node, not just its own. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has achieved code execution inside a virt-launcher pod - for example via a vulnerability in the containerized workload or a container escape - can craft a gRPC message to HandleDomainEvent claiming the namespace and name of a high-value VMI belonging to a different tenant on the same Kubernetes node. Because virt-handler blindly trusts this claimed identity, the forged event causes it to transition the victim VMI into an incorrect lifecycle state (e.g., marking it as shut down or failed), triggering erroneous remediation actions and causing availability loss for that workload. …
Remediation No specific patch version was included in the available intelligence data; the primary reference for fix status is https://access.redhat.com/security/cve/CVE-2026-13208, which should be consulted for updated patch information. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1798 MEDIUM POC
6.5 Sep 15

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi

CVE-2020-14316 CRITICAL
9.9 Jul 29

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi

CVE-2023-26484 HIGH
8.2 Mar 15

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re

CVE-2026-13201 HIGH
7.3 Jun 24

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t

CVE-2026-13318 MEDIUM
6.4 Jun 26

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev

CVE-2024-33394 MEDIUM
5.9 May 02

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command

CVE-2026-13218 MEDIUM
4.2 Jun 26

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch

CVE-2025-64324 HIGH POC
8.5 Nov 18

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no

CVE-2025-64437 MEDIUM POC
5.0 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av

CVE-2025-64436 MEDIUM POC
6.9 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is

CVE-2025-64435 MEDIUM POC
5.3 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is

CVE-2025-64434 MEDIUM POC
4.7 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-13208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy