Description
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
Published: 2026-06-25
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in KubeVirt's virt-handler network cache handling allows a user who can access the virt-launcher container to plant a symlink at the cache file path. The WriteToCachedFile function writes to this path without protecting against symlinks, causing virt-handler to follow the link and overwrite an arbitrary host file with JSON content and change its ownership. This is a symlink traversal flaw (CWE‑61) that can lead to alteration of host system files, compromising system integrity.

Affected Systems

Red Hat OpenShift Virtualization 4 (KubeVirt) is affected. No specific version information is provided.

Risk and Exploitability

The CVSS score of 4.2 indicates low overall severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can create a symlink within the virt-launcher container and trigger the WriteToCachedFile operation; no special privileges beyond container access are noted. The risk is limited to the host file that can be overwritten, but the impact on system integrity could be significant if critical files are targeted.

Generated by OpenCVE AI on June 26, 2026 at 00:21 UTC.

Remediation

Vendor Workaround

Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces.

OpenCVE Recommended Actions

  • Restrict pods/exec access on virt-launcher pods to only trusted administrators.
  • Ensure virtual machines use the default masquerade network binding mode where possible.
  • Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces.

Generated by OpenCVE AI on June 26, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
Title Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-61
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Redhat Container Native Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T23:23:23.228Z

Reserved: 2026-06-24T15:29:58.096Z

Link: CVE-2026-13218

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-13218 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following