CVE-2026-13218

Summary

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-61: UNIX Symbolic Link (Symlink) Following

Workarounds

Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References