Description
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
Published: 2026-06-25
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in KubeVirt's virt-handler network cache handling allows a user who can access the virt-launcher container to plant a symlink at the cache file path. The WriteToCachedFile function writes to this path without protecting against symlinks, causing virt-handler to follow the link and overwrite an arbitrary host file with JSON content and change its ownership. This is a symlink traversal flaw (CWE‑61) that can lead to alteration of host system files, compromising system integrity.

Affected Systems

Red Hat OpenShift Virtualization 4 (KubeVirt) is affected. No specific version information is provided.

Risk and Exploitability

The CVSS score of 4.2 indicates low overall severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can create a symlink within the virt-launcher container and trigger the WriteToCachedFile operation; no special privileges beyond container access are noted. The risk is limited to the host file that can be overwritten, but the impact on system integrity could be significant if critical files are targeted.

Generated by OpenCVE AI on June 26, 2026 at 00:21 UTC.

Remediation

Vendor Workaround

Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces.


OpenCVE Recommended Actions

  • Restrict pods/exec access on virt-launcher pods to only trusted administrators.
  • Ensure virtual machines use the default masquerade network binding mode where possible.
  • Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces.

Generated by OpenCVE AI on June 26, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubevirt
Kubevirt kubevirt
Redhat openshift Virtualization
Vendors & Products Kubevirt
Kubevirt kubevirt
Redhat openshift Virtualization

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
Title Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-61
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L'}


Subscriptions

Kubevirt Kubevirt
Redhat Container Native Virtualization Openshift Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-26T14:58:48.021Z

Reserved: 2026-06-24T15:29:58.096Z

Link: CVE-2026-13218

cve-icon Vulnrichment

Updated: 2026-06-26T14:58:39.972Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-13218 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:04Z

Weaknesses
  • CWE-61

    UNIX Symbolic Link (Symlink) Following