Skip to main content

KubeVirt virt-handler CVE-2026-7374

| EUVDEUVD-2026-31824 CRITICAL
Improper Link Resolution Before File Access (CWE-59)
2026-05-26 redhat GHSA-7jcp-v9w4-wjmg
9.9
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
9.9 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:35 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.

AnalysisAI

Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtualization 4) allows a namespace-scoped OpenShift user with edit permissions to hijack the virt-handler's privileged Unix socket connection via a symlink swap on a virtual machine console socket. Successful exploitation leads to interaction with arbitrary host Unix sockets, including CRI-O, enabling node takeover and cluster compromise. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.12%, 30th percentile), but CVSS is 9.9 with a scope change reflecting the host/cluster blast radius.

Technical ContextAI

KubeVirt extends Kubernetes to run virtual machines as pods, with virt-handler running as a privileged DaemonSet on each node so it can manage VM lifecycle and connect to per-VM Unix sockets (such as the serial console socket) inside tenant-controlled paths. The root cause is CWE-59 (Improper Link Resolution Before File Access, aka 'Link Following'): virt-handler opens the console socket path without validating that it is a real socket rather than a symlink, so a tenant with edit rights in a namespace can replace the expected socket with a symlink pointing at the host's CRI-O runtime socket. Because virt-handler runs with host-level privileges and host filesystem access, the dereference happens in the privileged context and connects the attacker to whichever Unix socket the symlink targets - in particular CRI-O, the OCI runtime that controls all containers on the node.

RemediationAI

Patch available per vendor advisory: apply the Red Hat OpenShift Virtualization updates published in RHSA-2026:20720, 20736, 20763, 20767, 20782, 20825, 20866, 20886, 20890, and 20975 (all at https://access.redhat.com/errata/) corresponding to your OpenShift Virtualization 4 stream, and on SUSE apply SUSE-SU-2026:2077. Until the cluster is patched, reduce exposure by tightening RBAC so that untrusted users do not hold edit (or higher) verbs on VirtualMachine/VirtualMachineInstance resources in shared namespaces - this directly removes the PR:L precondition but breaks self-service VM management for those users; additionally, restrict or audit use of the virtctl console / VM console subresource for tenant namespaces, accepting that legitimate console troubleshooting will be impacted. Network-layer mitigations are not effective here because the abuse path is the in-cluster console socket on the node, not an exposed network service.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Containers 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-7374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy