Skip to main content

Openshift Virtualization

6 CVEs product

Monthly

CVE-2026-13318 MEDIUM This Month

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. No public exploit or active exploitation has been identified at time of analysis; EPSS data was not available in the provided intelligence.

SSRF Kubevirt Openshift Virtualization
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13218 MEDIUM This Month

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.

Information Disclosure Kubevirt Openshift Virtualization
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-13208 MEDIUM This Month

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. With CVSS 6.5 (AV:L/S:C), the attack requires local access via a compromised container but can impact multiple VMIs across tenants on the same node; no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Kubevirt Openshift Virtualization
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13201 HIGH This Week

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. There is no public exploit identified at time of analysis, EPSS is very low (0.12%), and CISA SSVC marks exploitation as none.

Information Disclosure Kubevirt Openshift Virtualization
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2020-14316 Go CRITICAL PATCH Act Now

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kubevirt Openshift Virtualization
NVD
CVSS 3.1
9.9
EPSS
1.6%
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-side request forgery in KubeVirt's virt-api port-forward handler allows authenticated Kubernetes users with kubevirt.io:edit permissions to establish arbitrary bidirectional TCP tunnels from virt-api's trusted cluster-internal network position to any routable destination, bypassing NetworkPolicy isolation. The vulnerability arises because virt-api reads the target IP from vmi.Status.Interfaces[0].IP - a value supplied by the QEMU guest agent inside the VM and thus fully controllable by the VM owner when non-masquerade network bindings (bridge or secondary-only) are in use - and passes it directly to net.Dial() without validation. No public exploit or active exploitation has been identified at time of analysis; EPSS data was not available in the provided intelligence.

SSRF Kubevirt Openshift Virtualization
NVD
EPSS 0% CVSS 4.2
MEDIUM This Month

Symlink-following in KubeVirt's virt-handler permits a container-level attacker to overwrite arbitrary host files and change their ownership. An attacker with access to the virt-launcher container can plant a symlink at the network cache file path expected by the `WriteToCachedFile` function; virt-handler then follows that symlink when calling `os.WriteFile` and `os.Chown`, enabling writes of attacker-influenced JSON content to any path accessible by virt-handler on the host. This represents a partial container-to-host escape - a scope change from the container context to the underlying node - with no public exploit identified at time of analysis.

Information Disclosure Kubevirt Openshift Virtualization
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

KubeVirt's virt-handler domain notify server allows a compromised virt-launcher process to forge lifecycle events for any other VMI scheduled on the same Kubernetes node, causing virt-handler to corrupt that VMI's state and disrupt its lifecycle management. The root cause is that gRPC handlers for HandleDomainEvent and HandleK8SEvent accept VMI namespace/name exclusively from the request body, never cross-checking against the per-VMI pipe socket the connection arrived on. With CVSS 6.5 (AV:L/S:C), the attack requires local access via a compromised container but can impact multiple VMIs across tenants on the same node; no public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Kubevirt Openshift Virtualization
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege boundary bypass in KubeVirt's safepath package lets an attacker who controls a virt-launcher pod trick the privileged virt-handler into applying file ownership or permission changes to unintended host paths. The OpenAtNoFollow safeguard is defeated because downstream helpers re-open the descriptor through /proc/self/fd/N with link-following syscalls, so a symlink at the path leaf is dereferenced. There is no public exploit identified at time of analysis, EPSS is very low (0.12%), and CISA SSVC marks exploitation as none.

Information Disclosure Kubevirt Openshift Virtualization
NVD VulDB
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 2% CVSS 9.9
CRITICAL PATCH Act Now

A flaw was found in kubevirt 0.29 and earlier. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Kubevirt Openshift Virtualization
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy