CVE-2025-64435
BaseFortify
Publication date: 2025-11-07
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kubevirt | kubevirt | to 1.6.3 (inc) |
| kubevirt | kubevirt | 1.7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in KubeVirt's virt-controller is a logic flaw that allows an attacker to disrupt control over a running Virtual Machine Instance (VMI). The attacker can create a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This causes the virt-controller to mistakenly associate the fake pod with the VMI, leading to incorrect status updates and potentially causing a Denial-of-Service (DoS) condition.
How can this vulnerability impact me? :
The vulnerability can impact you by causing a Denial-of-Service (DoS) on your virtual machine instances managed by KubeVirt. This means that the control over running VMIs can be disrupted, potentially leading to downtime or unavailability of critical virtual machines.
What immediate steps should I take to mitigate this vulnerability?
Upgrade KubeVirt to version 1.7.0-beta.0 or later, as this version contains the fix for the vulnerability.