Bug 2492220 (CVE-2026-13208) - CVE-2026-13208 kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify server trusts VMI identity from unauthenticated gRPC request body
Summary: CVE-2026-13208 kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify se...
Keywords:
Status: NEW
Alias: CVE-2026-13208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 15:04 UTC by OSIDB Bzimport
Modified: 2026-06-24 15:19 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 15:04:59 UTC
A flaw was found in KubeVirt's virt-handler domain notify server (pkg/virt-handler/notify-server/server.go). The gRPC handlers HandleDomainEvent (L54) and HandleK8SEvent (L96) derive the target VMI identity solely from the request body (DomainJSON informer key, EventNamespace/EventName) without validating it against the originating connection. Each virt-launcher connects via a per-VMI domain-notify-pipe.sock, but pipe.go performs a raw io.Copy byte pump with no peer identity tagging. No SO_PEERCRED or per-connection authentication is present on the shared socket.

A compromised virt-launcher can connect to its own pipe socket and send HandleDomainEvent/HandleK8SEvent gRPC messages claiming to be any other VMI on the same node. virt-handler processes these as authoritative, updating the victim VMI's state in the Kubernetes API. This enables cross-tenant denial of service: forced shutdown/restart loops, lifecycle state corruption, and K8s Event forgery.

Upstream fix recommendation: Tag each pipe connection with the VMI UID at accept time (the pipe socket path already encodes it) and pass that identity through to the notify-server handlers; reject any DomainEvent/K8sEvent whose embedded namespace/name/UID does not match the connection's tagged identity.

References:
- Vulnerable file: pkg/virt-handler/notify-server/server.go
- Pipe handler: pkg/virt-handler/notify-server/pipe.go


Note You need to log in before you can comment on or make changes to this bug.