CVE-2026-13218
Received Received - Intake
KubeVirt virt-handler Symlink Arbitrary File Write

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Red Hat, Inc.

Description
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-13218
EUVD
EUVD-2026-39594
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat kubevirt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-13218 is a security vulnerability in KubeVirt's virt-handler component related to network cache handling.

The WriteToCachedFile function writes data to a launcher-rooted path without protecting against symbolic link (symlink) traversal.

A user with access to the virt-launcher container can create a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content.

Additionally, the ownership of the overwritten file is changed to a specific user ID (uid 107).

This vulnerability allows a container-to-host file write primitive, meaning a compromised container can write files on the host system.

Impact Analysis

This vulnerability can allow an attacker with access to the virt-launcher container to overwrite arbitrary files on the host system.

Such unauthorized file writes could lead to privilege escalation, data corruption, or disruption of host system operations.

Because the overwritten content is limited to serialized JSON network cache data, the impact is somewhat constrained but still significant.

The vulnerability requires local access with low privileges but high attack complexity, and it does not require user interaction.

Detection Guidance

Detection of this vulnerability involves checking for the presence of symlinks at the network cache file paths used by virt-handler, specifically under /proc/<launcherPid>/root/var/run/kubevirt-private/. Since the vulnerability arises from symlink traversal, inspecting these paths for unexpected symlinks can help identify exploitation attempts.

Additionally, monitoring for unusual file overwrites on the host filesystem with JSON content and changes in file ownership to uid 107 may indicate exploitation.

Suggested commands include:

  • Find symlinks in the cache directory: find /proc/*/root/var/run/kubevirt-private/ -type l -ls
  • Check for recently modified files with JSON content and ownership uid 107: find / -user 107 -name '*.json' -exec ls -l {} \;
  • Audit virt-launcher container processes for suspicious activity or attempts to create symlinks in the cache path.
Mitigation Strategies

Immediate mitigation steps include restricting access to the virt-launcher container to trusted users only, as the vulnerability requires user access to this container to exploit.

Avoid using bridge or non-masquerade network interfaces that trigger the vulnerable code path, if possible, since the flaw is not triggered for the default masquerade binding.

Monitor and remove any symlinks found in the cache file paths under /proc/<launcherPid>/root/var/run/kubevirt-private/ to prevent symlink traversal.

Apply any patches or updates provided by the vendor or maintainers that address this vulnerability as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart