CVE-2026-13208
Kubevirt: virt-handler-rhel9: kubevirt: virt-handler notify server trusts vmi identity from unauthenticated grpc request body
Description
A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
INFO
Published Date :
June 24, 2026, 8:39 p.m.
Last Modified :
June 24, 2026, 8:39 p.m.
Remotely Exploit :
No
Source :
redhat
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 53f830b8-0a3f-465b-8143-3b8a9948e749 | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Validate VMI identity from request against connection origin.
- Propagate identity tag from pipe path to handlers.
- Update virt-handler and virt-launcher components.
- Apply relevant patches or updates for KubeVirt.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-13208 vulnerability anywhere in the article.