Symlink Verification Oversight in KubeVirt Virtual Machine Management
CVE-2025-64437

5MEDIUM

Key Information:

Vendor

Kubevirt

Status
Kubevirt
Vendor
CVE Published:
7 November 2025

What is CVE-2025-64437?

KubeVirt, a Kubernetes virtual machine management add-on, contains a critical flaw where the virt-handler fails to validate if the launcher-sock is a symlink or a regular file. This vulnerability can potentially allow an attacker, who controls the file system of the virt-launcher pod, to exploit this oversight. By doing so, they could change the ownership of arbitrary files on the host node to an unprivileged user (UID 107), thus compromising the confidentiality, integrity, and availability of data on the host. Users are urged to upgrade to versions 1.5.3 and 1.6.1 or later to mitigate the risk associated with this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

kubevirt < 1.5.3 < 1.5.3

kubevirt >= 1.6.0-alpha.0, < 1.6.1 < 1.6.0-alpha.0, 1.6.1

References

https://github.com/kubevirt/kubevirt/security/advisories/...
x_refsource_CONFIRM
https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04...
x_refsource_MISC
https://github.com/kubevirt/kubevirt/commit/8644dbe0d0478...
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.