Description
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
Published: 2026-06-24
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

KubeVirt’s virt‑handler component contains a flaw in its domain notify server; the gRPC handlers for handling domain events tie the Virtual Machine Instance identity solely to the contents of the request body, with no verification of the caller’s origin. This design permits a compromised or malicious virt‑launcher process to fabricate lifecycle events and announce them as if they came from any VMI on the same node. The result is the virt‑handler updating the state of arbitrary VMIs, potentially leading to denial of service or unintended termination or suspension of virtual machines. The weakness is an authentication bypass (CWE‑287).

Affected Systems

The vulnerability affects Red Hat OpenShift Virtualization 4 through its KubeVirt integration, specifically the virt‑handler component that processes VMI-related gRPC notifications. Version specifics are not disclosed in the CNA data, meaning any deployment that includes this component is potentially affected until a fix is applied.

Risk and Exploitability

A CVSS score of 6.5 indicates moderate severity. EPSS data is unavailable and the issue is not currently listed in the CISA KEV catalog. Attackers must be able to execute code within a virt‑launcher pod on the same host to send forged gRPC messages, but once that condition is met they can impersonate any VMI identity and trigger lifecycle events that disrupt target VM operations.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Remediation

Vendor Workaround

Organizations can reduce exposure by: (1) restricting pods/exec permission on virt-launcher pods via admission policies (e.g., Gatekeeper or Kyverno rules denying exec on pods with the kubevirt.io launcher label), (2) using node affinity or dedicated node pools to isolate high-security tenant workloads from untrusted tenants, and (3) monitoring for unexpected VMI state transitions via cluster alerting.

OpenCVE Recommended Actions

  • Restrict execution permissions on virt‑launcher pods by applying admission policies that deny exec on pods labeled kubevirt.io/launcher.
  • Configure node affinity or dedicated node pools to isolate high‑security tenant workloads from untrusted tenants.
  • Monitor for unexpected VMI state transitions via cluster alerting systems.

Generated by OpenCVE AI on June 25, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
Title Kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify server trusts vmi identity from unauthenticated grpc request body
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-287
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Redhat Container Native Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-24T20:39:00.675Z

Reserved: 2026-06-24T14:53:27.480Z

Link: CVE-2026-13208

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-13208 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses