Network Cache Handling Flaw in KubeVirt's virt-handler Component
CVE-2026-13218

4.2MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Virtualization 4
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-13218?

A vulnerability exists in KubeVirt's virt-handler related to network cache handling. The flaw is in the WriteToCachedFile function, which improperly manages file writing and ownership changes due to a lack of symlink protection. This allows a user with access to the virt-launcher container to place a symlink at the cache file path, leading virt-handler to overwrite arbitrary host files with potentially malicious JSON content and alter their ownership. This poses significant security risks, as it could result in unauthorized data manipulation or system compromise.

References

https://access.redhat.com/security/cve/CVE-2026-13218

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2492654

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

This issue was discovered by Huzaifa Sidhpurwala (Red Hat).

CVE-2026-13218 Data

JSON