CVE-2026-9804 Red Hat CVE debrief

Who should care

Organizations running KubeVirt for virtual machine management on Kubernetes, particularly those using the VMExport functionality for disk exports. Platform engineers, Kubernetes cluster administrators, and security teams responsible for containerized virtualization environments should prioritize assessment.

Technical summary

The virt-exportserver component in KubeVirt fails to properly validate symbolic links within exported filesystem PVCs. An attacker with namespace-level access can create a symlink in a PVC that resolves outside the mount root, causing the export endpoint to follow the link and expose arbitrary files from the exporter pod's filesystem. The vulnerability is triggered through the VMExport directory endpoint and results in information disclosure without affecting integrity or availability.

Defensive priority

HIGH

Recommended defensive actions

• Review KubeVirt VMExport configurations and restrict namespace-level access to the virt-exportserver component
• Audit Persistent Volume Claims for unexpected symbolic links before export operations
• Apply security patches from KubeVirt/Red Hat when available
• Monitor virt-exportserver pod filesystem access for anomalous read patterns
• Implement admission controls to prevent PVCs with suspicious symlink configurations from being exported

Evidence notes

The vulnerability description is sourced from the NVD record with references to Red Hat's security advisory and Bugzilla entry. The CVSS vector confirms network attack vector with low attack complexity, low privileges required, and high confidentiality impact on changed scope.

Official resources