Description
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
Published: 2026-06-26
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in KubeVirt’s downward metrics virtio‑serial server allows a guest process to send an unbounded stream of data to the virt‑handler component. The server uses a textproto.Reader.ReadLine() call that buffers input until a newline without length limits or a deadline, resulting in unlimited memory allocation and eventual OOM termination of the virt‑handler process.

Affected Systems

Red Hat OpenShift Virtualization 4, including its container native virtualization product, is impacted when the virt‑handler component runs with a downward metrics virtio‑serial device enabled. Any VM configured to expose that device can be exploited by an attacker who has write access to the guest.

Risk and Exploitability

The CVSS score of 3.8 indicates a low‑severity resource‑exhaustion vulnerability, and the EPSS score is not available, suggesting limited evidence of real‑world exploitation. The vulnerability is not listed in KEV and can be mitigated by removing or restricting the device rather than by immediate patching. The attacker requires access to a VM guest with the device enabled; without that, the vulnerability is not exploitable.

Generated by OpenCVE AI on June 26, 2026 at 02:10 UTC.

Remediation

Vendor Workaround

The downward metrics virtio-serial device must be explicitly added to a VM's specification to be present. Clusters that do not use this feature are not exposed. To reduce exposure, administrators can restrict the ability to configure downward metrics devices on tenant VMs by using an admission webhook or policy controller such as Gatekeeper/OPA.


OpenCVE Recommended Actions

  • Disable or remove the downward metrics virtio‑serial device from the specification of all virtual machines
  • Implement an admission webhook or policy controller such as Gatekeeper/OPA to block creation of downward metrics devices on tenant VMs
  • Apply an updated KubeVirt or OpenShift Virtualization release that resolves the unbounded readline handling when it becomes available

Generated by OpenCVE AI on June 26, 2026 at 02:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubevirt
Kubevirt kubevirt
Redhat openshift Virtualization
Vendors & Products Kubevirt
Kubevirt kubevirt
Redhat openshift Virtualization

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
Title Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler causes oom denial of service
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-770
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L'}

threat_severity

Low


Subscriptions

Kubevirt Kubevirt
Redhat Container Native Virtualization Openshift Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-26T13:39:15.504Z

Reserved: 2026-06-25T08:58:54.983Z

Link: CVE-2026-13322

cve-icon Vulnrichment

Updated: 2026-06-26T13:39:10.998Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-13322 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:35:57Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling