CVE-2026-13208
Received Received - Intake
Improper Domain Event Handling in KubeVirt

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Red Hat, Inc.

Description
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-13208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat kubevirt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in KubeVirt's virt-handler domain notify server. The gRPC handlers HandleDomainEvent and HandleK8SEvent determine the identity of a Virtual Machine Instance (VMI) based only on the request body, without verifying that identity against the connection's origin.

Each virt-launcher pod connects to the server through a pipe socket specific to each VMI, but the server handlers do not receive any identity tag from the pipe path. This flaw allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI running on the same node.

As a result, the virt-handler may incorrectly update the state of a VMI it should not control, disrupting the lifecycle management of that VMI.

Impact Analysis

The vulnerability can lead to disruption of the lifecycle management of Virtual Machine Instances (VMIs) on the same node.

A compromised virt-launcher process can send forged lifecycle events for other VMIs, causing virt-handler to erroneously update their states.

This may result in availability issues or unexpected behavior of affected VMIs, potentially causing denial of service or operational instability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart