PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13434 Red Hat CVE debrief

A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. This vulnerability allows for cross-namespace network access and IP/MAC impersonation. Users with kubevirt.io:edit permissions are particularly affected.

Vendor
Red Hat
Product
Red Hat OpenShift Virtualization 4
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-26
Original CVE updated
2026-07-06
Advisory published
2026-06-26
Advisory updated
2026-07-06

Who should care

Users of KubeVirt, especially those with kubevirt.io:edit permissions, should be aware of this vulnerability and take steps to mitigate it. This includes restricting permissions, disabling the ExternalNetResourceInjection Beta feature gate, implementing network segmentation, and monitoring for suspicious network activity.

Technical summary

The ExternalNetResourceInjection Beta feature gate in KubeVirt allows tenants to inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. This enables cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The vulnerability arises from the lack of format validation or sanitization of the supplied networkName value written into the launcher pod's v1.multus-cni.io/default-network annotation.

Defensive priority

Medium

Recommended defensive actions

  • Restrict kubevirt.io:edit permissions to trusted users
  • Disable the ExternalNetResourceInjection Beta feature gate
  • Implement network segmentation and access controls
  • Monitor for suspicious network activity
  • Apply vendor-provided patches or updates

Evidence notes

The CVE record was published on 2026-06-26T17:16:32.313Z and was last modified on 2026-07-06T17:51:23.523Z. The NVD entry is currently Analyzed. Evidence is limited to the provided CVE and NVD information. Defensive verification tasks should include reviewing the official advisory, validating affected scope, and applying vendor-provided patches or updates.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-26T17:16:32.313Z and has not been modified since then. The NVD entry is currently Analyzed.