CVE-2025-64435
published 2025-11-07CVE-2025-64435: KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the…
PriorityP429medium5.3CVSS 3.1
AVNACHPRLUINSUCNINAH
EPSS
0.32%
23.2th percentile
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kubevirt.io | kubevirt | >= 0 < 1.7.0-beta.0 | 1.7.0-beta.0 |
| kubevirt | kubevirt | < 1.7.0-beta.0 | 1.7.0-beta.0 |
| kubevirt | kubevirt | <= 1.6.3 | — |
| kubevirt | kubevirt | — | — |
| msrc | azl3_kubevirt_1.5.0-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubevirt_1.5.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubevirt_1.6.3-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-30_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-31_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-33_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
vendor_msrc·2025-11-11·CVSS 5.3
CVE-2025-64435 [MEDIUM] CWE-703 KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
kubevirt.io/kubevirt: KubeVirt VMI Denial-of-Service Using Pod Impersonation
vendor_redhat·2025-11-07·CVSS 5.3
CVE-2025-64435 [MEDIUM] CWE-703 kubevirt.io/kubevirt: KubeVirt VMI Denial-of-Service Using Pod Impersonation
kubevirt.io/kubevirt: KubeVirt VMI Denial-of-Service Using Pod Impersonation
KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.7.0-beta.0, a logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launcher pod associated with the VMI. This can mislead the virt-controller into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service). This vulnerability is fixed in 1.7.0-beta.0.
A denial of service flaw has been discovered in KubeVirt. A logic flaw in the virt-controller allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate virt-launc
OSV
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation in kubevirt.io/kubevirt
osv·2025-11-17
CVE-2025-64435 KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation in kubevirt.io/kubevirt
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation in kubevirt.io/kubevirt
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation in kubevirt.io/kubevirt
OSV
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
osv·2025-11-06
CVE-2025-64435 [MEDIUM] KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
### Summary
_Short summary of the problem. Make the impact and severity as clear as possible.
A logic flaw in the `virt-controller` allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate `virt-launcher` pod associated with the VMI. This can mislead the `virt-controller` into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service).
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
A vulnerability has been identified in the logic responsible for reconciling the state of VMI. Specifically, it is possible to associate
GHSA
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
ghsa·2025-11-06
CVE-2025-64435 [MEDIUM] CWE-703 KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
### Summary
_Short summary of the problem. Make the impact and severity as clear as possible.
A logic flaw in the `virt-controller` allows an attacker to disrupt the control over a running VMI by creating a pod with the same labels as the legitimate `virt-launcher` pod associated with the VMI. This can mislead the `virt-controller` into associating the fake pod with the VMI, resulting in incorrect status updates and potentially causing a DoS (Denial-of-Service).
### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._
A vulnerability has been identified in the logic responsible for reconciling the state of VMI. Specifically, it is possible to associate
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-07
Published