CVE-2025-64433
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-07

Last updated on: 2025-11-25

Assigner: GitHub, Inc.

Description
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod's file system. Since libvirt can treat regular files as block devices, any file on the pod's file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod's file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-07
Last Modified
2025-11-25
Generated
2026-05-07
AI Q&A
2025-11-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-64433
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
kubevirt kubevirt to 1.5.3 (exc)
kubevirt kubevirt 1.6.0
kubevirt kubevirt 1.6.0
kubevirt kubevirt 1.6.0
kubevirt kubevirt 1.6.0
kubevirt kubevirt 1.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in KubeVirt allows a virtual machine (VM) to read arbitrary files from the virt-launcher pod's file system due to improper handling of symbolic links when mounting Persistent Volume Claim (PVC) disks. A malicious user controlling PVC contents can create a symlink pointing to sensitive files in the pod's file system. Because libvirt treats regular files as block devices, these files can be mounted and read inside the VM. Additionally, a second vulnerability changes file ownership to an unprivileged user inside the container, bypassing security restrictions and enabling unauthorized file access. This issue is fixed in versions 1.5.3 and 1.6.1.


How can this vulnerability impact me? :

An attacker with control over PVC contents can exploit this vulnerability to read sensitive files from the virt-launcher pod's file system or mounted PVCs from within a VM. This unauthorized access can lead to exposure of confidential data, potentially compromising the security of the virtualized environment and any applications or data hosted within it.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade KubeVirt to version 1.5.3 or 1.6.1 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart