Description
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.
Published: 2026-06-24
Score: 5.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the safepath package of KubeVirt causes the kernel to follow symlinks even when called with O_NOFOLLOW. When the leaf node is a symlink, the downstream helper that uses /proc/self/fd/N dereferences it, allowing the virt-handler process to change ownership or permission bits on a file that lies on the host filesystem instead of the intended target. This weakness is a classic path traversal/relative path confusion problem (CWE‑61) that can result in corruption of host metadata, enabling privilege escalation or persistence on the host. The impact is limited to changing file host’s security state.

Affected Systems

Red Hat OpenShift Virtualization 4 (Container Native Virtualization 4) is affected. The vulnerability exists in the KubeVirt component that runs inside the virt-handler and virt-launcher pods on this distribution.

Risk and Exploitability

The CVSS score of 5.2 indicates a moderate impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker must have the ability to run commands within a virt-launcher pod that can invoke the flawed safepath logic. The attack can be executed locally from the pod’s namespace and does not require external network access. The primary vector is therefore an internal privilege escalation or local compromise within a containerized environment.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Remediation

Vendor Workaround

The following default configurations in OpenShift Virtualization significantly reduce exploitability and impact: 1. Ensure SELinux is in enforcing mode (default in OpenShift). This restricts the set of host files that virt-handler can modify through this path, blocking operations on files with protected security labels. 2. RHCOS immutable filesystem layers prevent modification of core OS files. 3. Review RBAC policies to limit unnecessary pods/exec permissions on virt-launcher pods to reduce the attacker pool.

OpenCVE Recommended Actions

  • Ensure SELinux is set to enforcing mode, which prevents virt-handler from modifying host files with protected security labels.
  • Maintain the RHCOS immutable filesystem layers so core OS files cannot be altered by virt-handler.
  • Restrict RBAC permissions on virt-launcher pods to limit unnecessary exec or privileged capabilities, reducing the attacker pool.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.
Title Kubevirt: virt-handler-rhel9: kubevirt: safepath openatnofollow symlink following via /proc/self/fd allows host file metadata modification
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-61
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Redhat Container Native Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-24T20:39:00.173Z

Reserved: 2026-06-24T13:58:29.925Z

Link: CVE-2026-13201

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-13201 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following