CVE-2025-64436
MEDIUM WAF: Low
CVSS 5.3
Published: 2025-11-07
CWE-269
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
WAF Coverage Analysis
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| kubevirt | kubevirt | up to 1.5.3 |
| kubevirt | kubevirt | 1.6.0 - 1.6.1 |
References
- github.com (Exploit, Vendor Advisory)