CVE-2026-13218
Analyzed Analyzed - Analysis Complete

KubeVirt virt-handler Symlink Arbitrary File Write

Vulnerability report for CVE-2026-13218, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-06

Assigner: Red Hat, Inc.

Description

A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-06
Generated
2026-07-16
AI Q&A
2026-06-27
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kubevirt kubevirt *
redhat openshift_virtualization From 4 (inc) to 4.22.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows a user with access to the virt-launcher container to overwrite arbitrary host files with JSON content and change file ownership, potentially leading to unauthorized modification of host system files.

Such unauthorized file modifications could impact the integrity and security of systems handling sensitive data, which may affect compliance with standards like GDPR and HIPAA that require protection of data integrity and prevention of unauthorized access or changes.

However, the vulnerability does not directly disclose sensitive data but provides a container-to-host file write primitive, which could be leveraged in broader attack scenarios compromising compliance.

Executive Summary

CVE-2026-13218 is a security vulnerability in KubeVirt's virt-handler component related to network cache handling.

The WriteToCachedFile function writes data to a launcher-rooted path without protecting against symbolic link (symlink) traversal.

A user with access to the virt-launcher container can create a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content.

Additionally, the ownership of the overwritten file is changed to a specific user ID (uid 107).

This vulnerability allows a container-to-host file write primitive, meaning a compromised container can write files on the host system.

Impact Analysis

This vulnerability can allow an attacker with access to the virt-launcher container to overwrite arbitrary files on the host system.

Such unauthorized file writes could lead to privilege escalation, data corruption, or disruption of host system operations.

Because the overwritten content is limited to serialized JSON network cache data, the impact is somewhat constrained but still significant.

The vulnerability requires local access with low privileges but high attack complexity, and it does not require user interaction.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks at the network cache file paths used by virt-handler, specifically under /proc/<launcherPid>/root/var/run/kubevirt-private/. Since the vulnerability arises from symlink traversal, inspecting these paths for unexpected symlinks can help identify exploitation attempts.

Additionally, monitoring for unusual file overwrites on the host filesystem with JSON content and changes in file ownership to uid 107 may indicate exploitation.

Suggested commands include:

  • Find symlinks in the cache directory: find /proc/*/root/var/run/kubevirt-private/ -type l -ls
  • Check for recently modified files with JSON content and ownership uid 107: find / -user 107 -name '*.json' -exec ls -l {} \;
  • Audit virt-launcher container processes for suspicious activity or attempts to create symlinks in the cache path.
Mitigation Strategies

Immediate mitigation steps include restricting access to the virt-launcher container to trusted users only, as the vulnerability requires user access to this container to exploit.

Avoid using bridge or non-masquerade network interfaces that trigger the vulnerable code path, if possible, since the flaw is not triggered for the default masquerade binding.

Monitor and remove any symlinks found in the cache file paths under /proc/<launcherPid>/root/var/run/kubevirt-private/ to prevent symlink traversal.

Apply any patches or updates provided by the vendor or maintainers that address this vulnerability as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart