Skip to main content

KubeVirt CVE-2026-13218

| EUVDEUVD-2026-39594 MEDIUM
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-06-26 secalert@redhat.com GHSA-q3jc-42cq-33fj
4.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.2 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
vuln.today AI
4.2 MEDIUM

Local vector and low privileges reflect container-level access requirement; high complexity captures symlink timing window; scope change applies due to host filesystem impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
SUSE
MEDIUM
qualitative
Red Hat
4.2 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 00:34 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.

AnalysisAI

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the WriteToCachedFile function; virt-handler then follows that symlink when calling os.WriteFile and os.Chown, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain shell access in virt-launcher container
Delivery
Identify virt-handler cache file path on launcher filesystem
Exploit
Plant symlink redirecting cache path to target host file
Install
Await virt-handler WriteToCachedFile invocation
C2
virt-handler follows symlink, overwrites host file with JSON
Execute
virt-handler chowns host file to container UID
Impact
Host service reads corrupted or attacker-owned file

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker hold active access to the virt-launcher container (e.g., shell access via `kubectl exec` or a guest escape), sufficient to create a symlink at the specific filesystem path used by virt-handler's `WriteToCachedFile` for network cache storage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 4.2 (Medium) reflects the realistic exploitation difficulty. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained shell access inside a virt-launcher VM pod - for example, through a guest escape or a compromised containerized workload - identifies the filesystem path where virt-handler writes its network cache file. The attacker replaces or pre-creates that path as a symlink pointing to a sensitive host file such as `/etc/cron.d/kubevirt` or a kubeconfig. …
Remediation The primary fix should be obtained from the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13218 and the upstream KubeVirt project; no specific patched version number was present in the available input data, so no exact fix version can be cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-1798 MEDIUM POC
6.5 Sep 15

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi

CVE-2020-14316 CRITICAL
9.9 Jul 29

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi

CVE-2023-26484 HIGH
8.2 Mar 15

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re

CVE-2026-13201 HIGH
7.3 Jun 24

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t

CVE-2026-13208 MEDIUM
6.5 Jun 24

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for an

CVE-2026-13318 MEDIUM
6.4 Jun 26

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev

CVE-2024-33394 MEDIUM
5.9 May 02

An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command

CVE-2025-64324 HIGH POC
8.5 Nov 18

KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no

CVE-2025-64437 MEDIUM POC
5.0 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av

CVE-2025-64436 MEDIUM POC
6.9 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is

CVE-2025-64435 MEDIUM POC
5.3 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is

CVE-2025-64434 MEDIUM POC
4.7 Nov 07

KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Containers 15 SP7 Affected

Share

CVE-2026-13218 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy