Skip to main content

Red Hat Openshift Virtualization 4

5 CVEs product

Monthly

CVE-2026-13434 MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-13325 HIGH This Week

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-13322 LOW Monitor

Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS score of 3.8 reflects low severity but the scope-change flag (S:C) correctly captures that the disruption crosses the guest boundary to a privileged host process.

Denial Of Service Red Hat Openshift Virtualization 4
NVD
CVSS 3.1
3.8
EPSS
0.1%
CVE-2026-9804 Go HIGH PATCH GHSA This Week

Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.

Information Disclosure Path Traversal Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-7374 Go CRITICAL PATCH GHSA Act Now

Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtualization 4) allows a namespace-scoped OpenShift user with edit permissions to hijack the virt-handler's privileged Unix socket connection via a symlink swap on a virtual machine console socket. Successful exploitation leads to interaction with arbitrary host Unix sockets, including CRI-O, enabling node takeover and cluster compromise. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.12%, 30th percentile), but CVSS is 9.9 with a scope change reflecting the host/cluster blast radius.

Information Disclosure Red Hat Openshift Virtualization 4
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
EPSS 0% CVSS 4.9
MEDIUM This Month

Network annotation injection in KubeVirt's VirtualMachineInstance API allows authenticated tenants to attach launcher pods to arbitrary network namespaces by writing unsanitized JSON into the Multus CNI default-network annotation. Exploitation is gated on the ExternalNetResourceInjection Beta feature gate being explicitly enabled by a cluster-admin (off by default, first available in OpenShift Virtualization 4.21), which intentionally bypasses the NAD namespace lookup that would otherwise reject malformed annotation values. A successful attack permits cross-namespace network attachment and IP/MAC address impersonation on segments normally segregated from tenant workloads; no public exploit has been identified at time of analysis.

Code Injection Red Hat Openshift Virtualization 4 Suse
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Authentication Bypass Red Hat Openshift Virtualization 4
NVD VulDB
EPSS 0% CVSS 3.8
LOW Monitor

Unbounded memory allocation in KubeVirt's downward metrics virtio-serial server within Red Hat OpenShift Virtualization 4 allows a local VM guest user to exhaust host-side memory. The virt-handler process - which runs on the Kubernetes node and manages VM lifecycle - uses textproto.Reader.ReadLine() with no read deadline or buffer cap, so a continuous byte stream from the guest causes virt-handler to allocate memory without bound until the Linux OOM killer terminates it. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS score of 3.8 reflects low severity but the scope-change flag (S:C) correctly captures that the disruption crosses the guest boundary to a privileged host process.

Denial Of Service Red Hat Openshift Virtualization 4
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.

Information Disclosure Path Traversal Red Hat Openshift Virtualization 4
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation to cluster-wide control in KubeVirt's virt-handler component (as shipped in Red Hat OpenShift Virtualization 4) allows a namespace-scoped OpenShift user with edit permissions to hijack the virt-handler's privileged Unix socket connection via a symlink swap on a virtual machine console socket. Successful exploitation leads to interaction with arbitrary host Unix sockets, including CRI-O, enabling node takeover and cluster compromise. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.12%, 30th percentile), but CVSS is 9.9 with a scope change reflecting the host/cluster blast radius.

Information Disclosure Red Hat Openshift Virtualization 4
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy