Skip to main content

OpenShift Virtualization EUVDEUVD-2026-39599

| CVE-2026-13322 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-26 redhat GHSA-6f2p-2qg2-qqch
3.8
CVSS 3.1 · Vendor: redhat

Severity by source

Vendor (redhat) PRIMARY
3.8 LOW
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
vuln.today AI
6.5 MEDIUM

Raising A to H because OOM-killing virt-handler disrupts all VMs on the node, not just one; all other metrics align with vendor vector.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
Red Hat
3.8 LOW
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 00:31 vuln.today

DescriptionCVE.org

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

AnalysisAI

Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege shell in target VM guest
Delivery
Identify exposed virtio-serial device node for downward metrics
Exploit
Write continuous byte stream to device without newline
Execution
virt-handler buffers input indefinitely on host
Persist
Host node memory exhausted
Impact
OOM killer terminates virt-handler process

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific conditions to be simultaneously true: the attacker must have shell or console access (PR:L) inside a running guest VM, and that VM must have the KubeVirt downward metrics feature enabled with its virtio-serial device exposed to the guest. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 3.8 (Low) is consistent with the vector AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with shell access to a VM guest that has the downward metrics virtio-serial device configured executes a simple command such as 'cat /dev/zero > /dev/virtio-ports/org.qemu.guest_agent.0' or writes a continuous stream to the appropriate virtio-serial device node. The virt-handler process on the Kubernetes node incrementally allocates heap memory for each byte received, and because no size limit or timeout is enforced, the process grows until the Linux OOM killer terminates it. …
Remediation Patch available per vendor advisory - consult https://access.redhat.com/security/cve/CVE-2026-13322 for the released fix version, as no specific patched release number was confirmed in the available source data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-39599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy