Bug 2493576 (CVE-2026-13434) - CVE-2026-13434 virt-controller-rhel9: kubevirt: kubevirt: Multus default-network annotation injection via unvalidated tenant networkName when ExternalNetResourceInjection is enabled
Summary: CVE-2026-13434 virt-controller-rhel9: kubevirt: kubevirt: Multus default-netw...
Keywords:
Status: NEW
Alias: CVE-2026-13434
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-26 15:15 UTC by OSIDB Bzimport
Modified: 2026-06-26 15:54 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-26 15:15:32 UTC
A flaw was found in KubeVirt's network annotation generator. The tenant-supplied multus.networkName in a VMI spec is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without input validation. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default), no NAD lookup is performed to catch malformed values, and a tenant can inject a JSON-formatted NetworkSelectionElement array to attach the pod to arbitrary network attachments in any namespace with attacker-controlled IP and MAC addresses. This enables cross-namespace network access and service impersonation. The vulnerable code path was introduced with the ExternalNetResourceInjection feature gate in KubeVirt v1.8.0, first shipped in OpenShift Virtualization 4.21.


Note You need to log in before you can comment on or make changes to this bug.