Vulnerability in KubeVirt's virt-handler for Kubernetes
CVE-2026-13208

6.5MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Virtualization 4
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-13208?

A vulnerability exists in the virt-handler component of KubeVirt, where gRPC handlers fail to validate the identity of VirtualMachineInstances (VMIs) derived solely from request bodies. This oversight permits a compromised virt-launcher process to fabricate domain lifecycle events for any VMI within the same node, leading to inaccurate state updates and potential disruption of VMI lifecycle management. Without adequate validation of the connection's origin, the integrity of VMI processes is jeopardized, emphasizing the need for stringent input validation mechanisms.

References

https://access.redhat.com/security/cve/CVE-2026-13208

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2492220

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

This issue was discovered by Huzaifa Sidhpurwala (Red Hat).

CVE-2026-13208 Data

JSON