Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.
AnalysisAI
Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.
Technical ContextAI
KubeVirt is an open-source extension to Kubernetes that enables running and managing virtual machine workloads alongside containers, and the virt-exportserver subcomponent provides a VMExport endpoint that streams the contents of filesystem-backed Persistent Volume Claims (PVCs) to authorized clients. The root cause is CWE-59 (Improper Link Resolution Before File Access, aka 'Link Following'): the export server does not validate that filesystem entries within the exported PVC stay inside the designated mount root before dereferencing them, so a symbolic link planted in the PVC is resolved against the exporter pod's own filesystem namespace, exposing arbitrary files mounted into that pod (service account tokens, certificates, configuration). The Red Hat tracker pins exposure to Red Hat OpenShift Virtualization 4, which packages KubeVirt as its virtualization layer.
RemediationAI
Patch available per vendor advisory - upgrade Red Hat OpenShift Virtualization 4 to the fixed build identified at https://access.redhat.com/security/cve/CVE-2026-9804 (cross-reference https://bugzilla.redhat.com/show_bug.cgi?id=2482487 for the exact errata version applicable to your stream). Until patched, tighten RBAC so that the namespace verbs required to create or trigger VirtualMachineExport resources and to write into source PVCs are limited to trusted administrators, and audit existing exportable PVCs for unexpected symlinks; as a stronger compensating control, temporarily disable or block creation of VirtualMachineExport custom resources via an admission policy (Kyverno/Gatekeeper) - the trade-off is loss of in-cluster VM disk export/migration workflows until the patch is applied. Consider also restricting which service accounts and secrets are mounted into virt-exportserver pods to minimize the blast radius of arbitrary file reads if exploitation occurs before patching.
Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtu
Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migration
Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher po
Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap Micro 5.3 | Fixed |
| openSUSE Leap Micro 5.4 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| SUSE Linux Micro Extras 6.0 | Fixed |
| SUSE Linux Micro Extras 6.1 | Fixed |
| SUSE Linux Micro Extras 6.2 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32748
GHSA-mpmf-3w4r-qfpf