CVE-2025-64437

CVSS v3.1

5.0

Medium

Vector

AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions KubeVirt versions prior to 1.5.3 KubeVirt versions prior to 1.6.1

Description KubeVirt, a virtual machine management add-on for Kubernetes, contains a flaw where the virt-handler does not validate if the launcher-sock is a symbolic link or a regular file. An attacker controlling the file system of a virt-launcher pod could exploit this to alter file ownership on the host node to an unprivileged user (UID 107), potentially compromising the confidentiality, integrity, and availability of host data.

Recommendations Update KubeVirt to version 1.5.3 or later. Update KubeVirt to version 1.6.1 or later.

Exploit

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

AZL-69805

AZL-69970

CVE-2025-64437

GHSA-2R4R-5X78-MVQF

GO-2025-4102

OPENSUSE-SU-2025:15772-1

OPENSUSE-SU-2026:20281-1

SUSE-SU-2025:4330-1

SUSE-SU-2026:20551-1

SUSE-SU-2026:20610-1

Affected Products

Kubevirt

Kubernetes

Suse

CVE-2025-64437

Weakness Enumeration

Related Identifiers

Affected Products

References · 49