प्लेटफ़ॉर्म
go
घटक
kubevirt.io/kubevirt
में ठीक किया गया
1.5.1
1.7.0
CVE-2025-64436 is a vulnerability in Kubevirt that allows an attacker to potentially force a Virtual Machine Interface (VMI) migration to a node under their control. This arises from excessive permissions granted to the virt-handler service account. The vulnerability impacts Kubevirt versions before 1.7.0 and is addressed by a ValidatingAdmissionPolicy restricting node resource modifications and upgrading to the fixed version.
Successful exploitation of CVE-2025-64436 could allow an attacker to redirect a VMI to a compromised node, effectively gaining control over the virtual machine's execution environment. This could lead to data breaches, denial of service, or further malicious activities within the Kubernetes cluster. The attacker could potentially leverage this to escalate privileges or pivot to other resources within the cluster. The blast radius extends to any VMs managed by the affected Kubevirt installation, making it a significant security concern for environments relying on virtualized workloads.
This vulnerability was publicly disclosed on March 23, 2023, via a GitHub security advisory. While a public proof-of-concept is not readily available, the potential for VMI migration control presents a significant risk. The vulnerability's severity is rated as MEDIUM (5.3) by CVSS. It is not currently listed on the CISA KEV catalog, but its potential impact warrants careful monitoring.
Kubernetes clusters utilizing Kubevirt for virtual machine management are at risk. This includes organizations deploying virtualized workloads in production environments, particularly those using older Kubevirt versions prior to 1.7.0. Shared Kubernetes hosting environments where multiple users share the same cluster are also at increased risk.
• linux / server:
journalctl -u kubevirt-operator -g 'virt-handler' | grep -i 'error' -i 'warning'• generic web:
curl -I <kubevirt_api_endpoint>Inspect response headers for unusual configurations or unauthorized access attempts. • platform: Examine Kubevirt's admission policies for any deviations from the recommended configurations.
disclosure
public
एक्सप्लॉइट स्थिति
EPSS
0.07% (22% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-64436 is upgrading Kubevirt to version 1.7.0 or later, which includes a ValidatingAdmissionPolicy that restricts modifications to node resources. If upgrading is not immediately feasible, consider implementing a similar policy to restrict the virt-handler service account's ability to modify node specifications. Review and restrict the permissions granted to the virt-handler service account, ensuring it only has the necessary privileges for its intended functions. After upgrading, confirm the policy is correctly applied by attempting to modify node resources with the virt-handler service account and verifying that the modifications are rejected.
Actualice KubeVirt a una versión posterior a 1.5.0 que contenga las correcciones de seguridad. Revise y ajuste los permisos de la cuenta de servicio virt-handler para limitar la capacidad de actualizar VMIs y parchar nodos, siguiendo el principio de mínimo privilegio. Consulte el advisory GHSA-7xgm-5prm-v5gc para obtener más detalles y posibles mitigaciones.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-64436 is a vulnerability in Kubevirt allowing an attacker to potentially force a VMI migration to a controlled node due to excessive permissions granted to the virt-handler service account.
You are affected if you are running Kubevirt versions prior to 1.7.0 and have not implemented mitigating controls.
Upgrade Kubevirt to version 1.7.0 or later. If immediate upgrade is not possible, implement a ValidatingAdmissionPolicy to restrict node resource modifications.
While no active exploitation has been publicly confirmed, the potential for VMI migration control presents a significant risk and warrants monitoring.
Refer to the GitHub security advisory published on March 23, 2023: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।