PatchSiren cyber security CVE debrief
CVE-2026-7374 Red Hat CVE debrief
A critical vulnerability in KubeVirt's virt-handler component enables authenticated OpenShift users with namespace-level edit permissions to escalate privileges to full cluster compromise. The flaw stems from improper symlink validation when virt-handler connects to virtual machine console sockets. An attacker can replace the legitimate console socket with a symlink pointing to the host's container runtime (CRI-O) socket, hijacking virt-handler's privileged connection to access any Unix socket on the underlying node. This grants the attacker capabilities equivalent to node-level access, with potential for complete cluster takeover. The vulnerability carries a CVSS 3.1 score of 9.9 (Critical), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and changed scope with high impacts across confidentiality, integrity, and availability. The weakness is classified as CWE-59 (Improper Link Resolution Before File Access). Published and last modified on 2026-05-26, this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Red Hat
- Product
- Red Hat Container Native Virtualization 4.12
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running OpenShift Virtualization or KubeVirt for workload virtualization; Kubernetes platform teams managing multi-tenant clusters; security operations centers monitoring container runtime security; compliance teams responsible for virtualization and container security standards
Technical summary
The virt-handler component in KubeVirt fails to properly validate symlinks when establishing connections to VM console sockets. An attacker with edit permissions in a namespace can manipulate the console socket path, replacing it with a symlink to /var/run/crio/crio.sock or equivalent container runtime socket. When virt-handler (running with elevated privileges) follows this symlink, the connection is redirected to the host's CRI-O socket. This allows the attacker to send arbitrary container runtime commands, effectively achieving root-equivalent access on the host node. From this position, the attacker can access any Unix socket on the host, extract secrets, manipulate containers across all namespaces, and potentially compromise the entire Kubernetes cluster control plane. The attack requires authenticated access with namespace-scoped edit permissions but no initial node-level privileges.
Defensive priority
Immediate
Recommended defensive actions
- Apply security updates from Red Hat when available, prioritizing KubeVirt and OpenShift Virtualization components
- Review and restrict namespace-level edit permissions using principle of least privilege
- Implement admission controllers to prevent pod specifications that mount sensitive host paths
- Monitor for anomalous virt-handler process behavior and unexpected socket access patterns
- Audit existing RoleBindings and ClusterRoleBindings for excessive permissions in virtualized environments
- Enable comprehensive audit logging for KubeVirt API operations and virt-handler interactions
Evidence notes
Vulnerability description and CVSS metrics sourced from NVD record. Vendor attribution to Red Hat derived from reference domain analysis of supplied source links (access.redhat.com, bugzilla.redhat.com). CWE-59 classification confirmed via NVD weaknesses field. No KEV listing confirmed via enrichment data.
Official resources
2026-05-26T14:16:40.717Z