CVE-2026-13322
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Summary
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-770: Allocation of Resources Without Limits or Throttling
Workarounds
The downward metrics virtio-serial device must be explicitly added to a VM's specification to be present. Clusters that do not use this feature are not exposed. To reduce exposure, administrators can restrict the ability to configure downward metrics devices on tenant VMs by using an admission webhook or policy controller such as Gatekeeper/OPA.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-13322
- https://bugzilla.redhat.com/show_bug.cgi?id=2492681
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.