CVE-2025-64433
📋 TL;DR
This vulnerability in KubeVirt allows a malicious user with control over a PersistentVolumeClaim (PVC) to read arbitrary files from the virt-launcher pod's file system. Attackers can exploit improper symlink handling and ownership changes to bypass security restrictions and access sensitive data. This affects KubeVirt deployments where users have write access to PVCs.
💻 Affected Systems
- KubeVirt
📦 What is this software?
Kubevirt by Kubevirt
Kubevirt by Kubevirt
Kubevirt by Kubevirt
Kubevirt by Kubevirt
Kubevirt by Kubevirt
Kubevirt by Kubevirt
⚠️ Risk & Real-World Impact
Worst Case
An attacker could read sensitive files from the virt-launcher pod, potentially obtaining secrets, configuration files, or other confidential data that could lead to further compromise of the Kubernetes cluster.
Likely Case
Malicious users with PVC write access can read arbitrary files from the virt-launcher pod, potentially accessing sensitive information but limited to files accessible by UID 107.
If Mitigated
With proper network segmentation and strict RBAC controls limiting PVC access, the attack surface is significantly reduced, though the vulnerability remains present in unpatched systems.
🎯 Exploit Status
Exploitation requires write access to PVCs and knowledge of target file paths; no public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.3 or 1.6.1
Vendor Advisory: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qw6q-3pgr-5cwq
Restart Required: Yes
Instructions:
1. Identify your current KubeVirt version. 2. If using version <1.5.3, upgrade to 1.5.3. 3. If using version 1.6.0, upgrade to 1.6.1. 4. Apply the upgrade using your Kubernetes deployment method. 5. Restart affected pods to ensure the fix is applied.
🔧 Temporary Workarounds
Restrict PVC Write Access
allImplement strict RBAC controls to limit which users can write to PVCs, reducing the attack surface.
Network Segmentation
allIsolate KubeVirt workloads from sensitive systems to limit potential data exposure if exploited.
🧯 If You Can't Patch
- Implement strict RBAC controls to limit PVC write access to trusted users only.
- Monitor for unusual file access patterns or symlink creation in PVCs and virt-launcher pods.
🔍 How to Verify
Check if Vulnerable:
Check KubeVirt version; if version is less than 1.5.3 or exactly 1.6.0, the system is vulnerable.Check Version:
kubectl get kubevirt.kubevirt.io/kubevirt -n kubevirt -o jsonpath='{.status.observedKubeVirtVersion}'Verify Fix Applied:
Verify KubeVirt version is 1.5.3 or higher (excluding 1.6.0) or 1.6.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from VMs
- Symlink creation in PVCs
- Failed mount attempts with unusual file paths
Network Indicators:
- Unusual data egress from VMs to external systems
SIEM Query:
Search for events where virt-launcher pods access files outside expected PVC paths or where symlinks are created in PVC storage.🔗 References
- https://github.com/kubevirt/kubevirt/commit/09eafa068ec01eca0e96ebafeeb9522a878dbf64
- https://github.com/kubevirt/kubevirt/commit/9dc798cb1efe924a9a2b97b6e016452dec5e3849
- https://github.com/kubevirt/kubevirt/commit/a81b27d4600cf654274dd197119658382affdb08
- https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qw6q-3pgr-5cwq
