{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13218", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-24T15:29:58.096Z", "datePublished": "2026-06-25T23:23:23.228Z", "dateUpdated": "2026-06-25T23:23:23.228Z"}, "containers": {"cna": {"title": "Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-13218", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492654", "name": "RHBZ#2492654", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-25T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "description": "UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-61: UNIX Symbolic Link (Symlink) Following", "workarounds": [{"lang": "en", "value": "Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces."}], "timeline": [{"lang": "en", "time": "2026-06-24T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-25T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Huzaifa Sidhpurwala (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-25T23:23:23.228Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{}

{"acknowledgement": "This issue was discovered by Huzaifa Sidhpurwala (Red Hat).", "bugzilla": {"description": "kubevirt: kubevirt: symlink following in WriteToCachedFile allows host file overwrite from virt-launcher", "id": "2492654", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492654"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-61", "details": ["A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership."], "mitigation": {"lang": "en:us", "value": "Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces."}, "name": "CVE-2026-13218", "package_state": [{"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/virt-handler", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/virt-handler-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-13218\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-13218"], "statement": "This flaw affects OpenShift Virtualization deployments where virtual machines are configured with bridge or other non-masquerade network interfaces. The default network binding mode in OpenShift Virtualization is masquerade, which does not trigger the vulnerable code path \u2014 exploitation requires a cluster administrator to have pre-configured a NetworkAttachmentDefinition with bridge-type binding, a condition beyond the attacker's control. Additionally, the attacker must have exec access to the virt-launcher container (not merely VM guest console access). The file content written by the exploit is constrained to valid JSON following the network cache schema \u2014 arbitrary byte injection is not possible. On OpenShift Container Platform, SELinux mandatory access controls in enforcing mode restrict the set of host files writable by the virt-handler process, and base OS binaries under /usr/ are protected by RHCOS read-only ostree layers. However, host configuration files under /etc/ and data under /var/ are potentially reachable depending on virt-handler's SELinux context. Red Hat rates this as Moderate impact because exploitation requires non-default network configuration, container-level access beyond standard VM user privileges, and the content constraint significantly limits the attacker's ability to achieve meaningful host compromise.", "threat_severity": "Moderate"}

{"created": "2026-06-26T00:30:17.568702+00:00", "updated": "2026-06-26T00:30:17.568708+00:00", "vendors": []}