Bug 2492681 (CVE-2026-13322) - CVE-2026-13322 kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial ReadLine in virt-handler causes OOM denial of service
Summary: CVE-2026-13322 kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-seria...
Keywords:
Status: NEW
Alias: CVE-2026-13322
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 09:28 UTC by OSIDB Bzimport
Modified: 2026-06-25 09:37 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 09:28:05 UTC
A flaw was found in KubeVirt's downward metrics virtio-serial server in virt-handler. The server reads guest requests using textproto.Reader.ReadLine() in pkg/downwardmetrics/virtio-serial/server.go, which buffers input indefinitely until a newline character is received, with no length limit or read deadline. The server is started from dmetrics-manager.go and wired into the virt-handler process at cmd/virt-handler/virt-handler.go — it runs inside virt-handler's address space, not in the per-VM virt-launcher pod. A VM guest writing a continuous byte stream without newlines to the downward-metrics virtio-serial channel causes unbounded heap allocation in virt-handler until it is OOM-killed. Affected image: virt-handler-rhel9. Upstream fix should wrap the reader in io.LimitedReader with a small cap and add a per-read deadline.


Note You need to log in before you can comment on or make changes to this bug.