CVE-2026-13322

Summary

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

Workarounds

The downward metrics virtio-serial device must be explicitly added to a VM's specification to be present. Clusters that do not use this feature are not exposed. To reduce exposure, administrators can restrict the ability to configure downward metrics devices on tenant VMs by using an admission webhook or policy controller such as Gatekeeper/OPA.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References