CVE-2025-64433

Name of the Vulnerable Software and Affected Versions KubeVirt versions prior to 1.5.3 KubeVirt versions prior to 1.6.1

Description KubeVirt, a virtual machine management add-on for Kubernetes, contains a flaw that permits a virtual machine (VM) to read arbitrary files from the virt-launcher pod's file system. This occurs due to improper symlink handling when mounting Persistent Volume Claims (PVC) disks into a VM. A malicious user controlling PVC contents can create a symbolic link pointing to files within the virt-launcher pod. Libvirt's ability to treat regular files as block devices allows these files to be mounted and read within the VM. A security mechanism intended to limit access by running VMs as an unprivileged user is bypassed because file ownership is changed to that user prior to mounting, granting access to arbitrary files within the virt-launcher pod's file system or on a mounted PVC. The virt-launcher pod is affected. The vulnerable operation involves mounting PVC disks into a VM.

Recommendations Update KubeVirt to version 1.5.3 or later. Update KubeVirt to version 1.6.1 or later.