Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kubevirt: virt-handler-rhel9: kubevirt: safepath symlink following in virt-handler enables notify socket hijacking and node-level vm disruption
Vulnerability Description
A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to redirect virt-handler's IPC socket connections, including the notify socket used for VM domain lifecycle events. By hijacking this socket, the attacker can inject arbitrary domain events into virt-handler, causing it to take incorrect lifecycle actions, corrupt VM state in the Kubernetes API, or crash — resulting in sustained denial of VM management services for all virtual machines on the affected node. Additionally, the same symlink following flaw allows virt-handler to apply file ownership or permission changes to unintended host paths.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Vulnerability Type
CWE-61
Vulnerability Title
KubeVirt 后置链接漏洞
Vulnerability Description
KubeVirt是KubeVirt组织开源的一款用于在 Kubernetes 上直接运行和管理虚拟机的开源工具,让容器化应用和传统虚拟机工作负载可以在同一个平台上共存。 KubeVirt存在后置链接漏洞,该漏洞源于OpenAtNoFollow函数使用O_PATH|O_NOFOLLOW获取文件描述符,但下游辅助函数通过/proc/self/fd/N使用链接跟随系统调用,当叶节点是符号链接时,内核取消引用它,导致绕过预期的无跟随保护,攻击者通过访问virt-launcher pod可能导致virt-handl
CVSS Information
N/A
Vulnerability Type
N/A