CVE-2025-64437
📋 TL;DR
This CVE allows attackers who control the virt-launcher pod filesystem to change ownership of arbitrary host node files to the unprivileged UID 107 user, compromising data confidentiality, integrity, and availability. It affects KubeVirt installations where virt-handler doesn't properly validate launcher-sock file types. Users running vulnerable KubeVirt versions are affected.
💻 Affected Systems
- KubeVirt
📦 What is this software?
Kubevirt by Kubevirt
Kubevirt by Kubevirt
⚠️ Risk & Real-World Impact
Worst Case
Complete host node compromise through arbitrary file ownership changes, potentially leading to privilege escalation, data exfiltration, or denial of service.
Likely Case
Limited file manipulation on the host node by attackers with virt-launcher pod control, potentially affecting adjacent workloads or system files.
If Mitigated
Minimal impact with proper pod security policies, network segmentation, and limited filesystem access for virt-launcher pods.
🎯 Exploit Status
Exploitation requires existing access to control virt-launcher pod filesystem. Not directly remote exploitable without prior compromise.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.3 or 1.6.1
Vendor Advisory: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf
Restart Required: Yes
Instructions:
1. Update KubeVirt to version 1.5.3 or 1.6.1 using kubectl apply with updated manifests. 2. Restart virt-handler pods. 3. Verify all components are running the patched version.
🔧 Temporary Workarounds
Restrict virt-launcher pod filesystem access
linuxApply pod security policies to limit filesystem access for virt-launcher pods
kubectl apply -f restrictive-pod-security-policy.yaml
Network segmentation
linuxIsolate virt-launcher pods from sensitive workloads using network policies
kubectl apply -f network-policy-virt-launcher.yaml
🧯 If You Can't Patch
- Implement strict pod security policies to prevent unauthorized filesystem access to virt-launcher pods
- Monitor virt-launcher pod behavior and file ownership changes on host nodes using audit logs
🔍 How to Verify
Check if Vulnerable:
Check KubeVirt version: kubectl get kubevirt -n kubevirt -o jsonpath='{.items[0].status.observedKubeVirtVersion}'Check Version:
kubectl get kubevirt -n kubevirt -o jsonpath='{.items[0].status.observedKubeVirtVersion}'Verify Fix Applied:
Confirm version is 1.5.3 or higher (for 1.5.x) or 1.6.1 or higher (for 1.6.x) and check virt-handler pod logs for normal operation📡 Detection & Monitoring
Log Indicators:
- Unexpected file ownership changes on host nodes
- Unusual virt-launcher pod filesystem activity
- Failed symlink validation attempts in virt-handler logs
Network Indicators:
- Unusual network traffic from virt-launcher pods to host node services
SIEM Query:
source="kubevirt" AND ("launcher-sock" OR "symlink" OR "file ownership")🔗 References
- https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb
- https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b
- https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265
- https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf
