{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13325", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-25T10:28:26.197Z", "datePublished": "2026-06-26T10:41:01.791Z", "dateUpdated": "2026-06-26T10:41:01.791Z"}, "containers": {"cna": {"title": "Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 \u2014 configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing \"the additional layer of live migration encryption\" without disclosing that it also removes all mutual authentication."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-13325", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493378", "name": "RHBZ#2493378", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-26T10:17:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-306: Missing Authentication for Critical Function", "workarounds": [{"lang": "en", "value": "Do not set spec.configuration.migrations.disableTLS to true on the KubeVirt custom resource. The default value (false) enforces mutual TLS authentication on migration proxy connections and fully prevents this attack.\n\nIf disableTLS must remain enabled for operational reasons, deploy Kubernetes NetworkPolicies restricting ingress to virt-handler pods to only allow connections from other virt-handler and virt-launcher pods. Note that configuring a dedicated migration network via migrations.network alone does not mitigate this flaw, as the listener binds on all interfaces regardless of the migration network configuration."}], "timeline": [{"lang": "en", "time": "2026-06-26T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-26T10:17:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Huzaifa Sidhpurwala (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-26T10:41:01.791Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{}

{"acknowledgement": "This issue was discovered by Huzaifa Sidhpurwala (Red Hat).", "bugzilla": {"description": "virt-handler-rhel9: kubevirt: kubevirt: DisableTLS migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces", "id": "2493378", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493378"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-306", "details": ["A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 \u2014 configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing \"the additional layer of live migration encryption\" without disclosing that it also removes all mutual authentication."], "mitigation": {"lang": "en:us", "value": "Do not set spec.configuration.migrations.disableTLS to true on the KubeVirt custom resource. The default value (false) enforces mutual TLS authentication on migration proxy connections and fully prevents this attack.\nIf disableTLS must remain enabled for operational reasons, deploy Kubernetes NetworkPolicies restricting ingress to virt-handler pods to only allow connections from other virt-handler and virt-launcher pods. Note that configuring a dedicated migration network via migrations.network alone does not mitigate this flaw, as the listener binds on all interfaces regardless of the migration network configuration."}, "name": "CVE-2026-13325", "package_state": [{"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/virt-handler", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/virt-handler-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-06-26T10:17:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-13325\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-13325"], "statement": "Red Hat rates this flaw as Moderate impact for OpenShift Virtualization. The disableTLS setting is off by default, can only be enabled by a cluster-admin on the KubeVirt custom resource, and cannot be enabled by tenants through the MigrationPolicy API. In the default OpenShift Virtualization deployment, migration traffic is protected by mutual TLS authentication and this vulnerability is not exploitable.\nWhen disableTLS is explicitly enabled, the migration proxy listener removes all authentication \u2014 not just encryption as documented \u2014 and binds on all network interfaces, allowing any pod on the cluster network to reach it during an active migration. The listener proxies to the target launcher's virtqemud control socket, enabling an attacker to issue libvirt RPC commands against the target VM. The impact is contained to the target VM and its virt-launcher pod, which runs as a non-root, unprivileged pod under SELinux container_t confinement \u2014 compromise does not extend to the host node or other VMs.\nAdditionally, configuring a dedicated migration network via migrations.network does not mitigate this flaw because the listener binds on all interfaces regardless, defeating the intended network isolation.", "threat_severity": "Moderate"}

{}