750 matches found
EUVD-2026-39086
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the...
CVE-2026-13208
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity namespace/name solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI...
CVE-2026-13201
A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...
CVE-2026-52959 virt: sev-guest: Do not use host-controlled page order in cleanup path
In the Linux kernel, the following vulnerability has been resolved: virt: sev-guest: Do not use host-controlled page order in cleanup path When issuing an extended guest request SVMVMGEXITEXTGUESTREQUEST, getextreport allocates a buffer to retrieve a certificate blob from the host, keeping track ...
CVE-2026-52959
The CVE-2026-52959 issue affects the Linux kernel SEV guest module. During an extended guest request (SVM_VMGEXIT_EXT_GUEST_REQUEST), get_ext_report() allocates a buffer for a host certificate blob and stores its size in report_req->certs_len. The host may return SNP_GUEST_VMM_ERR_INVALID_LEN ...
PT-2026-52088
Name of the Vulnerable Software and Affected Versions KubeVirt affected versions not specified Description A flaw exists in the KubeVirt virt-handler domain notify server. The gRPC handlers HandleDomainEvent and HandleK8SEvent determine the VMI identity namespace/name based only on the request...
PT-2026-52087
Name of the Vulnerable Software and Affected Versions KubeVirt affected versions not specified Description A flaw exists in the safepath package used by virt-handler. The OpenAtNoFollow function utilizes O PATH|O NOFOLLOW to obtain a file descriptor for a path leaf; however, subsequent operations...
CVE-2025-14525 vulnerabilities
Vulnerabilities for packages: virt-handler, harvester, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
GHSA-VJHF-6XFR-5P9G vulnerabilities
Vulnerabilities for packages: harvester, virt-operator, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
CVE-2024-31420 vulnerabilities
Vulnerabilities for packages: harvester, virt-operator, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
CVE-2024-33394 vulnerabilities
Vulnerabilities for packages: harvester, virt-operator, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
GHSA-25MH-HP8X-CGRV vulnerabilities
Vulnerabilities for packages: virt-handler, harvester, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
GHSA-4Q63-MR2M-57HF vulnerabilities
Vulnerabilities for packages: harvester, virt-operator, harvester-fips, virt-operator-fips, virt-controller-fips, virt-launcher...
SUSE SLES15 Security Update : kubevirt (SUSE-SU-2026:2400-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2400-1 advisory. Update to version 1.7.4, fixes various go embedded security issues: - CVE-2025-47911: golang.org/x/net/html: various algorithms wit...
SUSE SLES15 Security Update : kubevirt-1.6 (SUSE-SU-2026:2401-1)
The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2401-1 advisory. This update for kubevirt-1.6 fixes the following issues Update to version 1.6.6, fixes various go embedded security issues: -...
SUSE-SU-2026:2401-1 Security update for kubevirt-1.6
This update for kubevirt-1.6 fixes the following issues Update to version 1.6.6, fixes various go embedded security issues: - CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251420. - CVE-2025-47913: golang.org/x/crypto/ssh/agent...
Security update for kubevirt
This update for kubevirt fixes the following issues: Update to version 1.7.4, fixes various go embedded security issues: CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251420. CVE-2025-47913: golang.org/x/crypto/ssh/agent: clien...
Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability
...
CVE-2026-9804
A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...
CVE-2026-9804
A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...