CVE-2025-64436

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions KubeVirt versions prior to 1.5.0

Description KubeVirt, a virtual machine management add-on for Kubernetes, has an issue where permissions granted to the virt-handler service account could be misused. Specifically, the ability to update VMIs and patch nodes could be exploited to force a VMI migration to a node controlled by an attacker. This could allow an attacker to mark all nodes as unschedulable, potentially leading to the migration or creation of privileged pods onto a compromised node.

Recommendations Update to a version of KubeVirt greater than or equal to 1.5.0.

Exploit

Fix

Improper Privilege Management

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-276

Related Identifiers

AZL-69790

AZL-69967

CVE-2025-64436

GHSA-7XGM-5PRM-V5GC

GO-2025-4104

Affected Products

Kubevirt

Kubernetes

CVE-2025-64436

Weakness Enumeration

Related Identifiers

Affected Products

References · 16