Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-13322— Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler causes oom denial of service

CVSS 3.8 · Low EPSS 0.09% · P1

Affected Version Matrix 2

VendorProductVersion RangeStatus
Red HatRed Hat OpenShift Virtualization 4anyaffected
anyaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-13322

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler causes oom denial of service
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
KubeVirt 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
KubeVirt是KubeVirt组织开源的一款用于在 Kubernetes 上直接运行和管理虚拟机的开源工具,让容器化应用和传统虚拟机工作负载可以在同一个平台上共存。 KubeVirt存在资源管理错误漏洞,该漏洞源于downward metrics virtio-serial服务在读取客户请求时使用无长度限制的缓冲方式,可能导致virt-handler进程内存无限分配直至被OOM-kill。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat OpenShift Virtualization 4-cpe:/a:redhat:container_native_virtualization:4
Red HatRed Hat OpenShift Virtualization 4-cpe:/a:redhat:container_native_virtualization:4

II. Public POCs for CVE-2026-13322

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-13322

登录查看更多情报信息。

Vendor Advisories for CVE-2026-13322 (1)

Other References for CVE-2026-13322 (1)

Same Patch Batch · Red Hat · 2026-06-26 · 3 CVEs total

CVE-2026-133258.5 HIGHVirt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authenticatio
CVE-2026-134344.9 MEDIUMVirt-controller-rhel9: kubevirt: kubevirt: multus default-network annotation injection via

IV. Related Vulnerabilities

V. Comments for CVE-2026-13322

No comments yet


Leave a comment