Description
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
Published: 2026-05-26
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in KubeVirt’s virt-handler component, where improper symlink validation allows a user with edit permissions in a single namespace to replace the virtual machine console socket with a symlink pointing to the host’s container runtime socket. This hijacks virt-handler’s privileged connection, giving the attacker access to any Unix socket on the host. Accessing the container runtime socket can yield full control of the node and, by extension, the entire OpenShift cluster. The flaw is a classic example of CWE‑59, Path Traversal, and results in remote code execution or full system compromise.

Affected Systems

Red Hat OpenShift Virtualization 4, specifically the virt-handler component in the container_native_virtualization product. No version numbers are supplied in the data, so any deployment of this component is potentially impacted.

Risk and Exploitability

This flaw carries a CVSS score of 9.9, indicating critical severity. The EPSS score is not available, so exploitation likelihood cannot be quantified, and the vulnerability is not listed in CISA KEV. Based on the description, the attack can be carried out by an authenticated OpenShift user with namespace‑level edit rights, so the attack vector is internal to the cluster via legitimate credentials. Once the symlink is placed, the attacker can pivot from the virt-handler service to host sockets without additional privileges. The combination of a privileged service and host socket access makes exploitation both straightforward and highly damaging.

Generated by OpenCVE AI on May 26, 2026 at 15:05 UTC.

Remediation

Vendor Workaround

Update cluster RBAC to not allow exec into virt-launcher pods.

OpenCVE Recommended Actions

  • Update the virt-handler component to the official patched version once it becomes available
  • Reconfigure cluster RBAC to prevent exec access into virt-launcher pods, limiting the ability to manipulate console sockets
  • Remove or secure any symlinked console sockets on the host and enforce strict validation, ensuring console sockets cannot point to host‑level sockets

Generated by OpenCVE AI on May 26, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.19::el9
References

Wed, 27 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Virtualization
Vendors & Products Redhat openshift Virtualization

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4.21::el9

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:container_native_virtualization:4 cpe:/a:redhat:container_native_virtualization:4.12::el8
cpe:/a:redhat:container_native_virtualization:4.13::el9
cpe:/a:redhat:container_native_virtualization:4.14::el9
cpe:/a:redhat:container_native_virtualization:4.15::el9
cpe:/a:redhat:container_native_virtualization:4.16::el9
cpe:/a:redhat:container_native_virtualization:4.17::el9
cpe:/a:redhat:container_native_virtualization:4.18::el9
cpe:/a:redhat:container_native_virtualization:4.20::el9
References

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
Title Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability
First Time appeared Redhat
Redhat container Native Virtualization
Weaknesses CWE-59
CPEs cpe:/a:redhat:container_native_virtualization:4
Vendors & Products Redhat
Redhat container Native Virtualization
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Redhat Container Native Virtualization Openshift Virtualization
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-15T18:55:34.630Z

Reserved: 2026-04-29T06:46:44.106Z

Link: CVE-2026-7374

cve-icon Vulnrichment

Updated: 2026-05-26T13:37:38.502Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T14:16:40.717

Modified: 2026-05-28T03:16:44.047

Link: CVE-2026-7374

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-26T12:30:00Z

Links: CVE-2026-7374 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:30:26Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')