PatchSiren cyber security CVE debrief
CVE-2026-13434 Red Hat CVE debrief
A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. This vulnerability allows for cross-namespace network access and IP/MAC impersonation. Users with kubevirt.io:edit permissions are particularly affected.
- Vendor
- Red Hat
- Product
- Red Hat OpenShift Virtualization 4
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-26
- Original CVE updated
- 2026-07-06
- Advisory published
- 2026-06-26
- Advisory updated
- 2026-07-06
Who should care
Users of KubeVirt, especially those with kubevirt.io:edit permissions, should be aware of this vulnerability and take steps to mitigate it. This includes restricting permissions, disabling the ExternalNetResourceInjection Beta feature gate, implementing network segmentation, and monitoring for suspicious network activity.
Technical summary
The ExternalNetResourceInjection Beta feature gate in KubeVirt allows tenants to inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. This enables cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The vulnerability arises from the lack of format validation or sanitization of the supplied networkName value written into the launcher pod's v1.multus-cni.io/default-network annotation.
Defensive priority
Medium
Recommended defensive actions
- Restrict kubevirt.io:edit permissions to trusted users
- Disable the ExternalNetResourceInjection Beta feature gate
- Implement network segmentation and access controls
- Monitor for suspicious network activity
- Apply vendor-provided patches or updates
Evidence notes
The CVE record was published on 2026-06-26T17:16:32.313Z and was last modified on 2026-07-06T17:51:23.523Z. The NVD entry is currently Analyzed. Evidence is limited to the provided CVE and NVD information. Defensive verification tasks should include reviewing the official advisory, validating affected scope, and applying vendor-provided patches or updates.
Official resources
-
CVE-2026-13434 CVE record
CVE.org
-
CVE-2026-13434 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory, Issue Tracking
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T17:16:32.313Z and has not been modified since then. The NVD entry is currently Analyzed.