CVE Catalog

CVE-2026-13201

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

3th percentile — higher than 3% of all known CVEs

Summary

A flaw in KubeVirt's safepath package, used by virt-handler, was found in the OpenAtNoFollow function. It uses O_PATH|O_NOFOLLOW to obtain a file descriptor, but subsequent operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, bypassing the intended no-follow protection.

Risk Assessment

An attacker with access to a virt-launcher pod can exploit this to redirect virt-handler's IPC socket connections, including the notify socket for VM lifecycle events. This can lead to injection of fake events, corruption of VM state in the Kubernetes API, crashes, or sustained denial of VM management services on the affected node. Additionally, the flaw allows virt-handler to apply file ownership or permission changes to unintended host paths.

Recommendation

Immediately update KubeVirt to a version containing the fix for CVE-2026-13201. Until the update, restrict access to virt-launcher pods and monitor virt-handler logs for suspicious events.

Original NVD description (English source)

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to redirect virt-handler's IPC socket connections, including the notify socket used for VM domain lifecycle events. By hijacking this socket, the attacker can inject arbitrary domain events into virt-handler, causing it to take incorrect lifecycle actions, corrupt VM state in the Kubernetes API, or crash — resulting in sustained denial of VM management services for all virtual machines on the affected node. Additionally, the same symlink following flaw allows virt-handler to apply file ownership or permission changes to unintended host paths.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS