{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13201", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-24T13:58:29.925Z", "datePublished": "2026-06-24T20:39:00.173Z", "dateUpdated": "2026-06-24T20:39:00.173Z"}, "containers": {"cna": {"title": "Kubevirt: virt-handler-rhel9: kubevirt: safepath openatnofollow symlink following via /proc/self/fd allows host file metadata modification", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Virtualization 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "container-native-virtualization/virt-handler-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:container_native_virtualization:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-13201", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492203", "name": "RHBZ#2492203", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-06-24T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-61", "description": "UNIX Symbolic Link (Symlink) Following", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-61: UNIX Symbolic Link (Symlink) Following", "workarounds": [{"lang": "en", "value": "The following default configurations in OpenShift Virtualization significantly reduce exploitability and impact:\n\n1. Ensure SELinux is in enforcing mode (default in OpenShift). This restricts the set of host files that virt-handler can modify through this path, blocking operations on files with protected security labels.\n2. RHCOS immutable filesystem layers prevent modification of core OS files.\n3. Review RBAC policies to limit unnecessary pods/exec permissions on virt-launcher pods to reduce the attacker pool."}], "timeline": [{"lang": "en", "time": "2026-06-24T13:52:04.691Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-24T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Huzaifa Sidhpurwala (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-24T20:39:00.173Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{}

{}

{}