Skip to main content

KubeVirt CVE-2026-13325

| EUVDEUVD-2026-39645 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-26 redhat GHSA-r578-whjq-mcfv
8.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.5 HIGH

Reachable over the pod network (AV:N) but gated on non-default disableTLS plus locating a random port (AC:H) and a pod foothold (PR:L); cross-tenant VM takeover yields S:C with full C/I/A.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
HIGH
qualitative
Red Hat
8.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 11:22 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 - configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.

AnalysisAI

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain schedulable pod on cluster network
Delivery
Scan pod network for virt-handler proxy port
Exploit
Connect to unauthenticated TCP listener
Execution
Issue libvirt RPC to victim virtqemud
Impact
Read memory, alter QMP state, or destroy VM

Vulnerability AssessmentAI

Exploitation Exploitation requires that spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource - a non-default setting that removes mutual authentication, peer allow-listing, and handshake tokens. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H = 8.5) is internally consistent with the description: network-reachable (any pod on the cluster network), low privilege (a tenant who can schedule a pod), high attack complexity (the feature must be non-default-enabled and the attacker must locate a random ephemeral port), with a scope change reflecting one tenant compromising another tenant's VM and full confidentiality/integrity/availability loss over that VM. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised tenant deploys an ordinary pod into a cluster where disableTLS=true has been enabled, then probes the pod network for virt-handler's open migration proxy port. Connecting to the unauthenticated TCP listener, the attacker speaks libvirt RPC straight to a victim tenant's virtqemud socket to dump VM memory, change machine state via QMP, or destroy the VM. …
Remediation No vendor-released patch version is identified in the available data; consult https://access.redhat.com/security/cve/CVE-2026-13325 and https://bugzilla.redhat.com/show_bug.cgi?id=2493378 for the fixed build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all KubeVirt/OpenShift Virtualization deployments for spec.configuration.migrations.disableTLS=true and immediately set this value to false. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Containers 15 SP7 Affected

Share

CVE-2026-13325 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy