KubeVirt safepath nofollow bypass causes host path permission changes
CVE-2026-13201 Published on June 24, 2026

Kubevirt: virt-handler-rhel9: kubevirt: safepath openatnofollow symlink following via /proc/self/fd allows host file metadata modification
A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.

NVD

Vulnerability Analysis

CVE-2026-13201 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
LOW

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is a Symlink following Vulnerability?

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.

CVE-2026-13201 has been classified to as a Symlink following vulnerability or weakness.


Products Associated with CVE-2026-13201

Want to know whenever a new CVE is published for Red Hat Container Native Virtualization? stack.watch will email you.

Red Hat Container Native Virtualization
 

Affected Versions

Red Hat OpenShift Virtualization 4: Red Hat OpenShift Virtualization 4: