A flaw was found in KubeVirt's network cache handling in virt-handler. The WriteToCachedFile function in pkg/network/cache/cache.go writes network cache data to a path under /proc/<launcherPid>/root/var/run/kubevirt-private/ using os.WriteFile and then changes ownership using os.Chown. Neither operation uses O_NOFOLLOW or the safepath package to prevent symlink traversal. Since virt-handler operates in the host mount namespace (only the network namespace is entered via setns), a symlink planted by a compromised virt-launcher process at the cache file path causes virt-handler to follow the symlink and write to an arbitrary host file, overwriting its content with JSON data and changing its ownership to uid 107. This constitutes a container-to-host file write primitive, though with constrained content (serialized JSON network cache data). The vulnerable code path is triggered only for bridge/non-masquerade interfaces (via the discoverbridge path in vm.go -> netconf.go -> cache.go). The default masquerade binding does not exercise this path.