Skip to main content

KubeVirt EUVDEUVD-2026-32748

| CVE-2026-9804 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-05-28 redhat GHSA-mpmf-3w4r-qfpf
7.7
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.7 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 09:20 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data.

AnalysisAI

Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.

Technical ContextAI

KubeVirt is an open-source extension to Kubernetes that enables running and managing virtual machine workloads alongside containers, and the virt-exportserver subcomponent provides a VMExport endpoint that streams the contents of filesystem-backed Persistent Volume Claims (PVCs) to authorized clients. The root cause is CWE-59 (Improper Link Resolution Before File Access, aka 'Link Following'): the export server does not validate that filesystem entries within the exported PVC stay inside the designated mount root before dereferencing them, so a symbolic link planted in the PVC is resolved against the exporter pod's own filesystem namespace, exposing arbitrary files mounted into that pod (service account tokens, certificates, configuration). The Red Hat tracker pins exposure to Red Hat OpenShift Virtualization 4, which packages KubeVirt as its virtualization layer.

RemediationAI

Patch available per vendor advisory - upgrade Red Hat OpenShift Virtualization 4 to the fixed build identified at https://access.redhat.com/security/cve/CVE-2026-9804 (cross-reference https://bugzilla.redhat.com/show_bug.cgi?id=2482487 for the exact errata version applicable to your stream). Until patched, tighten RBAC so that the namespace verbs required to create or trigger VirtualMachineExport resources and to write into source PVCs are limited to trusted administrators, and audit existing exportable PVCs for unexpected symlinks; as a stronger compensating control, temporarily disable or block creation of VirtualMachineExport custom resources via an admission policy (Kyverno/Gatekeeper) - the trade-off is loss of in-cluster VM disk export/migration workflows until the patch is applied. Consider also restricting which service accounts and secrets are mounted into virt-exportserver pods to minimize the blast radius of arbitrary file reads if exploitation occurs before patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Containers 15 SP7 Fixed

Share

EUVD-2026-32748 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy