CVE-2025-64324: KubeVirt Vulnerable to Arbitrary Host File Read and Write
(updated )
The hostDisk feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the implementation of this feature and more specifically the DiskOrCreate option which creates a file if it doesn’t exist, has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system.
References
- github.com/advisories/GHSA-46xp-26xh-hpqh
- github.com/kubevirt/kubevirt
- github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764
- github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69
- github.com/kubevirt/kubevirt/pull/15037
- github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh
- nvd.nist.gov/vuln/detail/CVE-2025-64324
Code Behaviors & Features
Detect and mitigate CVE-2025-64324 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →