Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-13434— Virt-controller-rhel9: kubevirt: kubevirt: multus default-network annotation injection via unvalidated tenant networkname when externalnetresourceinjection is enabled

CVSS 4.9 · Medium
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-13434

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Virt-controller-rhel9: kubevirt: kubevirt: multus default-network annotation injection via unvalidated tenant networkname when externalnetresourceinjection is enabled
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat OpenShift Virtualization 4-cpe:/a:redhat:container_native_virtualization:4

II. Public POCs for CVE-2026-13434

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-13434

登录查看更多情报信息。

Other References for CVE-2026-13434 (2)

Same Patch Batch · Red Hat · 2026-06-26 · 3 CVEs total

CVE-2026-133258.5 HIGHVirt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authenticatio
CVE-2026-133223.8 LOWKubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler c

IV. Related Vulnerabilities

V. Comments for CVE-2026-13434

No comments yet


Leave a comment