Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Raising A to H because OOM-killing virt-handler disrupts all VMs on the node, not just one; all other metrics align with vendor vector.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
AnalysisAI
Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific conditions to be simultaneously true: the attacker must have shell or console access (PR:L) inside a running guest VM, and that VM must have the KubeVirt downward metrics feature enabled with its virtio-serial device exposed to the guest. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.8 (Low) is consistent with the vector AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with shell access to a VM guest that has the downward metrics virtio-serial device configured executes a simple command such as 'cat /dev/zero > /dev/virtio-ports/org.qemu.guest_agent.0' or writes a continuous stream to the appropriate virtio-serial device node. The virt-handler process on the Kubernetes node incrementally allocates heap memory for each byte received, and because no size limit or timeout is enforced, the process grows until the Linux OOM killer terminates it. … |
| Remediation | Patch available per vendor advisory - consult https://access.redhat.com/security/cve/CVE-2026-13322 for the released fix version, as no specific patched release number was confirmed in the available source data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtu
Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migration
Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensiti
Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher po
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39599
GHSA-6f2p-2qg2-qqch