CVE-2025-64324
📋 TL;DR
A logic bug in KubeVirt's hostDisk feature allows attackers to read and write arbitrary files owned by privileged users on the host system. This affects KubeVirt versions before 1.6.1 and 1.7.0 when using the DiskOrCreate option. Attackers with access to create VMs can exploit this to escalate privileges and compromise the underlying Kubernetes host.
💻 Affected Systems
- KubeVirt
📦 What is this software?
Kubevirt by Kubevirt
Kubevirt by Kubevirt
Kubevirt by Kubevirt
⚠️ Risk & Real-World Impact
Worst Case
Full host system compromise allowing attackers to read sensitive files, modify system configurations, install persistent backdoors, and pivot to other systems in the cluster.
Likely Case
Privilege escalation leading to data exfiltration, credential theft, and lateral movement within the Kubernetes cluster.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect unusual file access patterns.
🎯 Exploit Status
Requires authenticated access to KubeVirt API and knowledge of the vulnerability. The exploit involves creating a VM with specific hostDisk configurations to bypass file permission checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1 and 1.7.0
Vendor Advisory: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh
Restart Required: Yes
Instructions:
1. Backup your KubeVirt configuration and VM data. 2. Update KubeVirt to version 1.6.1 or 1.7.0 using your preferred deployment method (kubectl apply, Helm, etc.). 3. Restart KubeVirt components. 4. Verify all pods are running with the new version.
🔧 Temporary Workarounds
Disable hostDisk feature
linuxRemove or restrict use of the hostDisk feature in VirtualMachine configurations
kubectl get vm -A -o yaml | grep -i hostdisk
kubectl edit vm <vm-name> -n <namespace> # Remove hostDisk sections
Restrict RBAC permissions
linuxLimit who can create or modify VirtualMachine resources to trusted users only
kubectl get clusterrolebindings,rolebindings -A | grep -i kubevirt
kubectl edit clusterrole <role-name> # Review and restrict permissions
🧯 If You Can't Patch
- Implement strict network policies to isolate KubeVirt management traffic
- Enable audit logging for all VirtualMachine creation/modification events and monitor for suspicious hostDisk usage
🔍 How to Verify
Check if Vulnerable:
Check KubeVirt version: kubectl get deployment -n kubevirt kubevirt-operator -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -E '1\.(6\.0|5\.|4\.|3\.|2\.|1\.|0\.)'Check Version:
kubectl get deployment -n kubevirt kubevirt-operator -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Verify KubeVirt version is 1.6.1 or higher: kubectl get deployment -n kubevirt kubevirt-operator -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -E '1\.(6\.1|7\.|8\.|9\.)'📡 Detection & Monitoring
Log Indicators:
- Unusual VirtualMachine creation events with hostDisk configurations
- File access patterns from kubevirt processes to privileged system files
- Failed permission checks in kubevirt logs
Network Indicators:
- Unexpected outbound connections from kubevirt pods to external systems
- Unusual volume mount requests in Kubernetes API logs
SIEM Query:
source="kubernetes" ("hostDisk" OR "DiskOrCreate") AND ("create" OR "update") AND resource="virtualmachines"