KubeVirt virt-handler cache handling flaw allows symlink-based file overwrite
CVE-2026-13218 Published on June 25, 2026
Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher
A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership.
Vulnerability Analysis
CVE-2026-13218 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public. 1 day later.
Weakness Type
What is a Symlink following Vulnerability?
The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files. A software system that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
CVE-2026-13218 has been classified to as a Symlink following vulnerability or weakness.
Products Associated with CVE-2026-13218
Want to know whenever a new CVE is published for Red Hat Container Native Virtualization? stack.watch will email you.
