Vulnerability in KubeVirt's Virtual Machine Management for Kubernetes
CVE-2025-64436

6.9MEDIUM

Key Information:

Vendor: Kubevirt
Status: Kubevirt
Vendor: CVE Published:; 7 November 2025

What is CVE-2025-64436?

KubeVirt, a crucial add-on for managing virtual machines within Kubernetes environments, has a vulnerability that arises from improper permissions assigned to the virt-handler service account. In versions 1.5.0 and earlier, these permissions can be exploited by malicious actors to force a virtual machine instance (VMI) to migrate to a node under their control. By leveraging this flaw, an attacker could manipulate node statuses, potentially making all nodes unschedulable and creating a pathway to deploy privileged pods on compromised nodes. This poses a significant risk to the integrity and security of Kubernetes deployments using KubeVirt.

Affected Version(s)

kubevirt <= 1.5.0

References

https://github.com/kubevirt/kubevirt/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2025
Vulnerability Reserved
Nov 3, 2025

JSON

Kubevirt

What is CVE-2025-64436?

Affected Version(s)

References

CVSS V4

Timeline