Logic Flaw in KubeVirt Affects Kubernetes Management
CVE-2025-64435

5.3MEDIUM

Key Information:

Vendor: Kubevirt
Status: Kubevirt
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64435?

KubeVirt, a virtual machine management add-on for Kubernetes, has a vulnerability due to a logic flaw in the virt-controller prior to version 1.7.0-beta.0. This flaw can enable an attacker to create a malicious pod with labels matching those of the legitimate virt-launcher pod linked to a Virtual Machine Instance (VMI). Such an action can cause the virt-controller to link this fraudulent pod with the VMI, leading to misleading status updates and potential disruption of service, ultimately resulting in a Denial-of-Service (DoS). The vulnerability has been addressed in version 1.7.0-beta.0.

Affected Version(s)

kubevirt < 1.7.0-beta.0

References

https://github.com/kubevirt/kubevirt/security/advisories/...

x_refsource_CONFIRM

https://github.com/kubevirt/kubevirt/commit/9a6f4a3a70799...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Nov 3, 2025

JSON

Kubevirt

What is CVE-2025-64435?

Affected Version(s)

References

CVSS V3.1

Timeline