Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
AV:L because exploitation requires process execution on the node; PR:L because a compromised virt-launcher (low-privilege process) is needed; S:C and A:H because forged events disrupt VMIs outside the attacker's own workload.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
AnalysisAI
KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires prior code execution within a virt-launcher pod on the same Kubernetes node as the target VMI - the attacker must first compromise one virt-launcher process (e.g., through a guest-visible vulnerability, container escape, or supply-chain compromise of the virt-launcher image). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) scores at 6.5 Medium, but the changed-scope designation (S:C) and A:H signal meaningful blast radius: a single compromised virt-launcher can disrupt every VMI on the same node, not just its own. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has achieved code execution inside a virt-launcher pod - for example via a vulnerability in the containerized workload or a container escape - can craft a gRPC message to HandleDomainEvent claiming the namespace and name of a high-value VMI belonging to a different tenant on the same Kubernetes node. Because virt-handler blindly trusts this claimed identity, the forged event causes it to transition the victim VMI into an incorrect lifecycle state (e.g., marking it as shut down or failed), triggering erroneous remediation actions and causing availability loss for that workload. … |
| Remediation | No specific patch version was included in the available intelligence data; the primary reference for fix status is https://access.redhat.com/security/cve/CVE-2026-13208, which should be consulted for updated patch information. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to confi
A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploi
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.2), this vulnerability is re
Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick t
Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubev
An issue in kubevirt kubevirt v1.2.0 and before allows a local attacker to execute arbitrary code via a crafted command
Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and ch
KubeVirt is a virtual machine management add-on for Kubernetes. Rated high severity (CVSS 8.5), this vulnerability is no
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.0). Public exploit code av
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 6.9), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 5.3), this vulnerability is
KubeVirt is a virtual machine management add-on for Kubernetes. Rated medium severity (CVSS 4.7). Public exploit code av
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Micro 5.3 | Affected |
| SUSE Linux Enterprise Micro 5.4 | Affected |
| SUSE Linux Enterprise Micro 5.5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.0 | Affected |
| SUSE Linux Micro 6.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Containers 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap Micro 5.3 | Affected |
| openSUSE Leap Micro 5.4 | Affected |
| openSUSE Leap Micro 5.5 | Affected |
| SUSE Linux Micro Extras 6.0 | Affected |
| SUSE Linux Micro Extras 6.1 | Affected |
| SUSE Linux Micro Extras 6.2 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39087
GHSA-72r2-m3hg-cvf5