CVE-2025-64437: KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
(updated )
_Short summary of the problem. Make the impact and severity as clear as possible.
It is possible to trick the virt-handler component into changing the ownership of arbitrary files on the host node to the unprivileged user with UID 107 due to mishandling of symlinks when determining the root mount of a virt-launcher pod.
References
- github.com/advisories/GHSA-2r4r-5x78-mvqf
- github.com/kubevirt/kubevirt
- github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb
- github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b
- github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265
- github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf
- nvd.nist.gov/vuln/detail/CVE-2025-64437
Code Behaviors & Features
Detect and mitigate CVE-2025-64437 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →