CVE-2026-13201
Kubevirt: virt-handler-rhel9: kubevirt: safepath openatnofollow symlink following via /proc/self/fd allows host file metadata modification
Description
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.
INFO
Published Date :
June 24, 2026, 8:39 p.m.
Last Modified :
June 24, 2026, 8:39 p.m.
Remotely Exploit :
No
Source :
redhat
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 53f830b8-0a3f-465b-8143-3b8a9948e749 | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update KubeVirt to a patched version.
- Verify file descriptor handling logic.
- Review host path access controls.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-13201 vulnerability anywhere in the article.