Bug 2463728 (CVE-2026-7374) - CVE-2026-7374 kubevirt: KubeVirt virt-handler: Privilege escalation and node compromise via symlink following vulnerability
Summary: CVE-2026-7374 kubevirt: KubeVirt virt-handler: Privilege escalation and node ...
Keywords:
Status: NEW
Alias: CVE-2026-7374
Deadline: 2026-05-26
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-29 06:44 UTC by OSIDB Bzimport
Modified: 2026-05-26 13:05 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-29 06:44:09 UTC
A flaw was found in KubeVirt's virt-handler component. virt-handler connects to VM console sockets by following filesystem paths without validating symlinks. An authenticated OpenShift user with the standard edit role in a single namespace can exec into the virt-launcher pod, replace the console socket with a symlink pointing to the host's container runtime (CRI-O) socket, and hijack virt-handler's privileged connection. Since virt-handler runs with hostPID and elevated privileges, this allows the attacker to reach any unix socket on the host, potentially gaining full control of the node and cluster.


Note You need to log in before you can comment on or make changes to this bug.