CVE-2025-64436
published 2025-11-07CVE-2025-64436: KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.23%
13.8th percentile
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kubevirt.io | kubevirt | >= 0 < 1.7.0 | 1.7.0 |
| kubevirt | kubevirt | <= 1.5.3 | — |
| kubevirt | kubevirt | 1.6.0 – 1.6.1 | — |
| msrc | azl3_kubevirt_1.5.0-5_on_azure_linux_3.0 | — | — |
| msrc | azl3_kubevirt_1.5.3-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-30_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-31_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-33_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-35_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kubevirt_0.59.0-38_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
vendor_msrc·2025-11-11·CVSS 5.3
CVE-2025-64436 [MEDIUM] CWE-269 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Red Hat
kubevirt.io/kubevirt: KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
vendor_redhat·2025-11-07·CVSS 6.9
CVE-2025-64436 [MEDIUM] CWE-272 kubevirt.io/kubevirt: KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
kubevirt.io/kubevirt: KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
A privilege management flaw has been discovered in KubeVirt. The permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-contro
OSV
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes in github.com/kubevirt/kubevirt
osv·2025-11-17
CVE-2025-64436 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes in github.com/kubevirt/kubevirt
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes in github.com/kubevirt/kubevirt
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes in github.com/kubevirt/kubevirt.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/kubevirt/kubevirt before v1.7.0.
GHSA
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
ghsa·2025-11-06
CVE-2025-64436 [MEDIUM] CWE-269 KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
### Summary
The permissions granted to the `virt-handler` service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node.
### Details
Following the [GitHub security advisory published on March 23 2023](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2), a `ValidatingAdmissionPolicy` was introduced to impose restrictions on which sections of node resources the `virt-handler` service account can modify. For instance, the `spec` section of nodes has been made immutable, and modifications to the `labels` section are now limited to `kubevirt.io`-prefixed labels only. This vulnerability could otherwi
OSV
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
osv·2025-11-06
CVE-2025-64436 [MEDIUM] KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
### Summary
The permissions granted to the `virt-handler` service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node.
### Details
Following the [GitHub security advisory published on March 23 2023](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-cp96-jpmq-xrr2), a `ValidatingAdmissionPolicy` was introduced to impose restrictions on which sections of node resources the `virt-handler` service account can modify. For instance, the `spec` section of nodes has been made immutable, and modifications to the `labels` section are now limited to `kubevirt.io`-prefixed labels only. This vulnerability could otherwi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-07
Published