CVE-2025-64436 | THREATINT

Description

KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.

PUBLISHED Reserved 2025-11-03 | Published 2025-11-07 | Updated 2025-11-07 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-269: Improper Privilege Management

CWE-276: Incorrect Default Permissions

Product status

<= 1.5.0

affected

References

github.com/...bevirt/security/advisories/GHSA-7xgm-5prm-v5gc

cve.org (CVE-2025-64436)

nvd.nist.gov (CVE-2025-64436)

Download JSON