Skip to main content

OpenShift Virtualization CVE-2026-13434

| EUVDEUVD-2026-39796 MEDIUM
Improper Input Validation (CWE-20)
2026-06-26 redhat GHSA-9fjc-whw6-cqfc
4.9
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.9 MEDIUM

API is network-reachable (AV:N); non-default feature gate required raises complexity (AC:H); kubevirt.io:edit tenant role needed (PR:L); cross-namespace network impact changes scope (S:C); no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
SUSE
MEDIUM
qualitative
Red Hat
4.9 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 17:29 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21).

AnalysisAI

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain kubevirt.io:edit tenant permissions
Delivery
Identify target NAD name and namespace via reconnaissance
Exploit
Craft VMI with JSON-injected networkName in Multus config
Install
Submit VMI to Kubernetes API server (only empty-string check fires)
C2
Launcher pod created with injected v1.multus-cni.io/default-network annotation
Execute
Multus on node parses JSON and attaches pod to cross-namespace network segment
Impact
Achieve cross-tenant network access and IP/MAC spoofing

Vulnerability AssessmentAI

Exploitation Exploitation requires both of the following conditions to be simultaneously true: (1) the ExternalNetResourceInjection Beta feature gate must be explicitly enabled by a cluster-admin - this is off by default and was only introduced in KubeVirt v1.8.0/OpenShift Virtualization 4.21, meaning all earlier versions and all default-configuration deployments of any version are not exploitable; (2) the attacker must hold kubevirt.io:edit permissions on the targeted namespace, which is a legitimate tenant role explicitly granted by cluster administrators. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.9 with vector AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N accurately reflects the risk profile: network-reachable via the Kubernetes API, but constrained by high attack complexity (AC:H) due to the non-default ExternalNetResourceInjection feature gate prerequisite, and requiring low-privilege authenticated access (PR:L, kubevirt.io:edit role). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A tenant holding kubevirt.io:edit permissions on a cluster where ExternalNetResourceInjection is enabled submits a VirtualMachineInstance manifest with the Multus networkName field set to a JSON NetworkSelectionElement array, specifying an administrative-namespace NAD and a spoofed IP and MAC address matching a privileged host. The API server admits the VMI (only the empty-string check fires), the launcher pod is created carrying the injected annotation, and Multus on the node parses it and attaches the pod to the targeted network segment - granting the tenant traffic visibility and impersonation capability on a network normally inaccessible to tenant workloads. …
Remediation Monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-13434 for a patched release; no specific fixed version was confirmed in available data at time of analysis, and the Bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2493576 should be tracked for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected
SUSE Linux Enterprise Micro 5.4 Not-Affected
SUSE Linux Enterprise Micro 5.5 Not-Affected
SUSE Linux Enterprise Module for Containers 15 SP7 Not-Affected

Share

CVE-2026-13434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy