Description
A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.
Published: 2026-06-26
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in KubeVirt’s migration proxy allows an attacker to connect to a plaintext TCP listener on all interfaces when the configuration spec.configuration.migrations.disableTLS flag is set to true. The listener forwards unfiltered libvirt QEMU Machine Protocol (QMP) commands directly to a virt-launcher’s virtqemud socket, giving the attacker the ability to read, modify, or destroy virtual machine state. This is a missing authentication weakness (CWE‑306) that can lead to full compromise of virtual machines within the cluster.

Affected Systems

Red Hat OpenShift Virtualization 4 deployments where KubeVirt’s spec.configuration.migrations.disableTLS is enabled. Any components that host virt-handler pods are vulnerable; no specific version numbers are provided in the advisory.

Risk and Exploitability

The vulnerability scores a CVSS of 8.5, indicating high severity, and is not listed in the CISA KEV catalog. EPSS data are unavailable, so the current exploitation probability cannot be quantified. The attack requires an attacker to run a pod or otherwise obtain connectivity within the cluster network to reach the exposed 0.0.0.0 listener; once connected, the attacker can execute arbitrary libvirt commands on any target virtual machine with no authentication.

Generated by OpenCVE AI on June 26, 2026 at 13:22 UTC.

Remediation

Vendor Workaround

Do not set spec.configuration.migrations.disableTLS to true on the KubeVirt custom resource. The default value (false) enforces mutual TLS authentication on migration proxy connections and fully prevents this attack. If disableTLS must remain enabled for operational reasons, deploy Kubernetes NetworkPolicies restricting ingress to virt-handler pods to only allow connections from other virt-handler and virt-launcher pods. Note that configuring a dedicated migration network via migrations.network alone does not mitigate this flaw, as the listener binds on all interfaces regardless of the migration network configuration.

OpenCVE Recommended Actions

  • Set spec.configuration.migrations.disableTLS to false in the KubeVirt custom resource to enforce mutual TLS on migration proxy connections.
  • Deploy Kubernetes NetworkPolicies that allow inbound traffic to virt-handler pods only from other virt-handler and virt-launcher pods, thereby limiting access to the plaintext listener.
  • Configure host or cluster firewall rules to block traffic to the virt-handler pod ports from any sources not explicitly allowed by the NetworkPolicies.

Generated by OpenCVE AI on June 26, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 26 Jun 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.
Title Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-306
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Redhat Container Native Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-26T18:42:00.736Z

Reserved: 2026-06-25T10:28:26.197Z

Link: CVE-2026-13325

cve-icon Vulnrichment

Updated: 2026-06-26T18:14:34.031Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-26T10:17:00Z

Links: CVE-2026-13325 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T13:30:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function