Impact
A flaw in KubeVirt’s downward metrics virtio‑serial server allows a guest process to send an unbounded stream of data to the virt‑handler component. The server uses a textproto.Reader.ReadLine() call that buffers input until a newline without length limits or a deadline, resulting in unlimited memory allocation and eventual OOM termination of the virt‑handler process.
Affected Systems
Red Hat OpenShift Virtualization 4, including its container native virtualization product, is impacted when the virt‑handler component runs with a downward metrics virtio‑serial device enabled. Any VM configured to expose that device can be exploited by an attacker who has write access to the guest.
Risk and Exploitability
The CVSS score of 3.8 indicates a low‑severity resource‑exhaustion vulnerability, and the EPSS score is not available, suggesting limited evidence of real‑world exploitation. The vulnerability is not listed in KEV and can be mitigated by removing or restricting the device rather than by immediate patching. The attacker requires access to a VM guest with the device enabled; without that, the vulnerability is not exploitable.
OpenCVE Enrichment