PatchSiren cyber security CVE debrief
CVE-2026-13322 Red Hat CVE debrief
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
- Vendor
- Red Hat
- Product
- Red Hat OpenShift Virtualization 4
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-07-06
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-07-06
Who should care
Users of KubeVirt, especially those with administrative access to VM guests configured with the downward metrics virtio-serial device, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The KubeVirt downward metrics virtio-serial server is vulnerable to an issue where it reads guest requests using textproto.Reader.ReadLine(). This method buffers input indefinitely until a newline character is received, with no length limit or read deadline. An attacker with access to a VM guest configured with the downward metrics virtio-serial device can exploit this by writing a continuous byte stream to the device. This can cause unbounded memory allocation in the virt-handler process, potentially leading to the process being OOM-killed.
Defensive priority
Medium
Recommended defensive actions
- Update KubeVirt to a version that includes a fix for this issue.
- Restrict access to VM guests configured with the downward metrics virtio-serial device.
- Monitor virt-handler process memory usage for anomalies.
- Implement compensating controls to limit the impact of potential memory exhaustion.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-06-26T00:16:51.397Z and was last modified on 2026-07-06T17:25:39.853Z. The NVD entry is currently Analyzed. References include vendor advisories and issue tracking links.
Official resources
-
CVE-2026-13322 CVE record
CVE.org
-
CVE-2026-13322 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T00:16:51.397Z and has not been modified since then. The NVD entry is currently Analyzed.