PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13322 Red Hat CVE debrief

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

Vendor
Red Hat
Product
Red Hat OpenShift Virtualization 4
CVSS
LOW 3.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-06
Advisory published
2026-06-26
Advisory updated
2026-07-06

Who should care

Users of KubeVirt, especially those with administrative access to VM guests configured with the downward metrics virtio-serial device, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The KubeVirt downward metrics virtio-serial server is vulnerable to an issue where it reads guest requests using textproto.Reader.ReadLine(). This method buffers input indefinitely until a newline character is received, with no length limit or read deadline. An attacker with access to a VM guest configured with the downward metrics virtio-serial device can exploit this by writing a continuous byte stream to the device. This can cause unbounded memory allocation in the virt-handler process, potentially leading to the process being OOM-killed.

Defensive priority

Medium

Recommended defensive actions

  • Update KubeVirt to a version that includes a fix for this issue.
  • Restrict access to VM guests configured with the downward metrics virtio-serial device.
  • Monitor virt-handler process memory usage for anomalies.
  • Implement compensating controls to limit the impact of potential memory exhaustion.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-06-26T00:16:51.397Z and was last modified on 2026-07-06T17:25:39.853Z. The NVD entry is currently Analyzed. References include vendor advisories and issue tracking links.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T00:16:51.397Z and has not been modified since then. The NVD entry is currently Analyzed.