CVE-2026-13208
Analyzed Analyzed - Analysis Complete

Improper Domain Event Handling in KubeVirt

Vulnerability report for CVE-2026-13208, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-06

Assigner: Red Hat, Inc.

Description

A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-06
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kubevirt kubevirt *
redhat openshift_virtualization From 4 (inc) to 4.22.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in KubeVirt's virt-handler domain notify server. The gRPC handlers HandleDomainEvent and HandleK8SEvent determine the identity of a Virtual Machine Instance (VMI) based only on the request body, without verifying that identity against the connection's origin.

Each virt-launcher pod connects to the server through a pipe socket specific to each VMI, but the server handlers do not receive any identity tag from the pipe path. This flaw allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI running on the same node.

As a result, the virt-handler may incorrectly update the state of a VMI it should not control, disrupting the lifecycle management of that VMI.

Impact Analysis

The vulnerability can lead to disruption of the lifecycle management of Virtual Machine Instances (VMIs) on the same node.

A compromised virt-launcher process can send forged lifecycle events for other VMIs, causing virt-handler to erroneously update their states.

This may result in availability issues or unexpected behavior of affected VMIs, potentially causing denial of service or operational instability.

Compliance Impact

This vulnerability allows a compromised virt-launcher process to send forged domain lifecycle events for any other Virtual Machine Instance (VMI) scheduled on the same node, causing unauthorized updates to the victim VMI's state and disrupting its lifecycle management.

Such unauthorized state manipulation and potential denial of service could lead to data availability and integrity issues, which may impact compliance with standards and regulations that require strict controls over system integrity and availability, such as GDPR and HIPAA.

However, the provided information does not explicitly describe direct impacts on data confidentiality or specific regulatory compliance requirements.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or forged domain lifecycle events and Kubernetes events that do not match the expected Virtual Machine Instance (VMI) identities. Since the vulnerability allows a compromised virt-launcher to send forged events for other VMIs on the same node, unusual state changes or lifecycle disruptions in VMIs may indicate exploitation.

Specifically, you can check logs of the virt-handler and Kubernetes events for unexpected or repeated shutdown/restart loops or lifecycle state corruptions of VMIs.

While no explicit commands are provided in the resources, general commands to inspect Kubernetes events and pod logs include:

  • kubectl get events --all-namespaces | grep -i virt-handler
  • kubectl logs -n <namespace> <virt-handler-pod-name>
  • kubectl describe vmi -n <namespace> <vmi-name>

Monitoring for discrepancies between the VMI identity in events and the expected VMI identity per connection could help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to apply the recommended fix which involves tagging each pipe connection with the VMI UID at accept time and ensuring that the notify-server handlers reject any DomainEvent or K8sEvent whose embedded namespace, name, or UID does not match the connection's tagged identity.

Until the fix is applied, consider limiting the privileges of virt-launcher processes to reduce the risk of compromise and monitor for suspicious lifecycle events or restarts.

Additionally, ensure that your KubeVirt installation is updated to a version that includes the patch addressing this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart