PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13325 Red Hat CVE debrief

A flaw was found in KubeVirt's migration proxy when spec.configuration.migrations.disableTLS is set to true. This setting causes the target virt-handler to bind a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. Consequently, an attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine. Such commands can include reading VM memory and configuration, modifying VM state via QMP, or destroying the VM.

Vendor
Red Hat
Product
Red Hat OpenShift Virtualization 4
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-06
Advisory published
2026-06-26
Advisory updated
2026-07-06

Who should care

Users of KubeVirt, especially those with multi-tenant environments, should be aware of this vulnerability. The flaw allows for potential lateral movement and escalation within the cluster network.

Technical summary

The vulnerability arises from the insecure configuration of the migration proxy in KubeVirt. When disableTLS is set to true, the migration proxy listener is exposed without authentication or encryption. This exposes the virt-launcher's virtqemud control socket to unauthorized access. An attacker can exploit this by connecting to the listener and issuing libvirt RPC commands. The impact includes unauthorized access to VM data, modification of VM state, and potential disruption of VM operations.

Defensive priority

High

Recommended defensive actions

  • Review and adjust the KubeVirt configuration to ensure TLS is enabled for migrations.
  • Implement network policies to restrict access to the migration proxy listener.
  • Monitor for and limit the use of disableTLS in KubeVirt custom resources.
  • Apply the provided vendor advisories and patches.
  • Conduct regular security audits and vulnerability assessments.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Vendor advisories and issue tracking references are available for mitigation and patching. Evidence is limited to public sources; defenders should verify with vendors and assess their specific environments. No additional facts are known beyond public disclosures.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T11:16:30.830Z and has not been modified since then. The NVD entry is currently Analyzed.