CVE-2025-64324

High CVSS: 8.5

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

Vendor

Kubevirt

Product

Kubevirt

CWE

CWE-200

Yayın Tarihi

2025-11-18 23:15:55

Güncelleme

2025-11-25 17:16:59

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Kubevirt HIGH Kubevirt 2025

Referanslar

https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764 https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69 https://github.com/kubevirt/kubevirt/pull/15037 https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh

Benzer Kayıtlar

Medium

CVE-2025-64436

KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the vir…

Medium

CVE-2025-64437

KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler doe…

Medium

CVE-2025-64433

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered…

Medium

CVE-2025-64434

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification l…

Medium

CVE-2025-64435

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controll…

Medium

CVE-2025-64432

KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed i…