Platform
go
Component
kubevirt.io/kubevirt
Fixed in
1.5.1
1.7.0
CVE-2025-64436 is a vulnerability in Kubevirt that allows an attacker to potentially force a Virtual Machine Interface (VMI) migration to a node under their control. This arises from excessive permissions granted to the virt-handler service account. The vulnerability impacts Kubevirt versions before 1.7.0 and is addressed by a ValidatingAdmissionPolicy restricting node resource modifications and upgrading to the fixed version.
Successful exploitation of CVE-2025-64436 could allow an attacker to redirect a VMI to a compromised node, effectively gaining control over the virtual machine's execution environment. This could lead to data breaches, denial of service, or further malicious activities within the Kubernetes cluster. The attacker could potentially leverage this to escalate privileges or pivot to other resources within the cluster. The blast radius extends to any VMs managed by the affected Kubevirt installation, making it a significant security concern for environments relying on virtualized workloads.
This vulnerability was publicly disclosed on March 23, 2023, via a GitHub security advisory. While a public proof-of-concept is not readily available, the potential for VMI migration control presents a significant risk. The vulnerability's severity is rated as MEDIUM (5.3) by CVSS. It is not currently listed on the CISA KEV catalog, but its potential impact warrants careful monitoring.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64436 is upgrading Kubevirt to version 1.7.0 or later, which includes a ValidatingAdmissionPolicy that restricts modifications to node resources. If upgrading is not immediately feasible, consider implementing a similar policy to restrict the virt-handler service account's ability to modify node specifications. Review and restrict the permissions granted to the virt-handler service account, ensuring it only has the necessary privileges for its intended functions. After upgrading, confirm the policy is correctly applied by attempting to modify node resources with the virt-handler service account and verifying that the modifications are rejected.
Actualice KubeVirt a una versión posterior a 1.5.0 que contenga las correcciones de seguridad. Revise y ajuste los permisos de la cuenta de servicio virt-handler para limitar la capacidad de actualizar VMIs y parchar nodos, siguiendo el principio de mínimo privilegio. Consulte el advisory GHSA-7xgm-5prm-v5gc para obtener más detalles y posibles mitigaciones.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64436 is a vulnerability in Kubevirt allowing an attacker to potentially force a VMI migration to a controlled node due to excessive permissions granted to the virt-handler service account.
You are affected if you are running Kubevirt versions prior to 1.7.0 and have not implemented mitigating controls.
Upgrade Kubevirt to version 1.7.0 or later. If immediate upgrade is not possible, implement a ValidatingAdmissionPolicy to restrict node resource modifications.
While no active exploitation has been publicly confirmed, the potential for VMI migration control presents a significant risk and warrants monitoring.
Refer to the GitHub security advisory published on March 23, 2023: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.