Impact
A flaw in KubeVirt’s safepath package causes the kernel to follow symbolic links even when the open flags specify no‑follow protection. When the path leaf is a symlink, a later resolution step dereferences it, allowing the virt-handler process to change ownership or permission bits on unintended host paths. The same flaw lets a user with access to a virt-launcher pod redirect virt-handler’s IPC socket connections, including the notify socket used for VM lifecycle events. By hijacking this socket, an attacker can inject arbitrary domain events, leading to incorrect lifecycle actions, corruption of VM state in the Kubernetes API or crashes, which in turn result in sustained denial of virtual machine management services on the affected node.
Affected Systems
Red Hat OpenShift Virtualization 4 (Container Native Virtualization 4) is affected. The vulnerability exists in the KubeVirt component that runs inside the virt-handler and virt-launcher pods on this distribution; no specific version numbers are listed, but the issue appears in releases that include the safepath package used by virt-handler in RHEL 9 environments.
Risk and Exploitability
The CVSS score of 7.3 indicates a high impact, and the EPSS score of < 1% shows that exploitation is currently low probability. The vulnerability is not listed in the CISA KEV catalog. A local attacker who can execute commands within a virt-launcher pod is capable of exploiting the flaw, which does not require external network access but requires sufficient pod privileges. The primary threat vector is therefore an internal, privilege‑escalation or local compromise within the containerized environment, enabling notify socket hijacking and denial of VM services.
OpenCVE Enrichment