Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-13201— Kubevirt: virt-handler-rhel9: kubevirt: safepath symlink following in virt-handler enables notify socket hijacking and node-level vm disruption

CVSS 7.3 · High EPSS 0.12% · P2

Affected Version Matrix 2

VendorProductVersion RangeStatus
Red HatRed Hat OpenShift Virtualization 4anyaffected
anyaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-13201

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Kubevirt: virt-handler-rhel9: kubevirt: safepath symlink following in virt-handler enables notify socket hijacking and node-level vm disruption
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to redirect virt-handler's IPC socket connections, including the notify socket used for VM domain lifecycle events. By hijacking this socket, the attacker can inject arbitrary domain events into virt-handler, causing it to take incorrect lifecycle actions, corrupt VM state in the Kubernetes API, or crash — resulting in sustained denial of VM management services for all virtual machines on the affected node. Additionally, the same symlink following flaw allows virt-handler to apply file ownership or permission changes to unintended host paths.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-61
Source: NVD (National Vulnerability Database)
Vulnerability Title
KubeVirt 后置链接漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
KubeVirt是KubeVirt组织开源的一款用于在 Kubernetes 上直接运行和管理虚拟机的开源工具,让容器化应用和传统虚拟机工作负载可以在同一个平台上共存。 KubeVirt存在后置链接漏洞,该漏洞源于OpenAtNoFollow函数使用O_PATH|O_NOFOLLOW获取文件描述符,但下游辅助函数通过/proc/self/fd/N使用链接跟随系统调用,当叶节点是符号链接时,内核取消引用它,导致绕过预期的无跟随保护,攻击者通过访问virt-launcher pod可能导致virt-handl
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat OpenShift Virtualization 4-cpe:/a:redhat:container_native_virtualization:4
Red HatRed Hat OpenShift Virtualization 4-cpe:/a:redhat:container_native_virtualization:4

II. Public POCs for CVE-2026-13201

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-13201

登录查看更多情报信息。

Vendor Advisories for CVE-2026-13201 (1)

Other References for CVE-2026-13201 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-13201

No comments yet


Leave a comment