CVE-2026-7374
published 2026-05-26CVE-2026-7374: A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to…
PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.60%
44.0th percentile
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| container-native-virtualization | virt-handler-rhel9 | — | — |
| kubevirt.io | kubevirt | >= 0 < 1.6.6 | 1.6.6 |
| kubevirt.io | kubevirt | >= 1.7.0-alpha.0 < 1.7.4 | 1.7.4 |
| kubevirt.io | kubevirt | >= 1.8.0-alpha.0 < 1.8.3 | 1.8.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect symlink replacement of VM console socket with a path pointing to the host CRI-O socket inside virt-launcher pods ↗
- →Monitor for exec into virt-launcher pods by OpenShift users with edit role, as this is the initial access vector for exploitation ↗
- →Alert on virt-handler process accessing unexpected Unix sockets on the host, particularly the CRI-O socket, which may indicate symlink-following exploitation ↗
- →Audit filesystem activity within virt-launcher pods for symlink creation targeting host socket paths (e.g., CRI-O socket), as virt-handler follows paths without symlink validation ↗
- →Flag virt-handler connections that traverse outside expected VM console socket directories, leveraging its hostPID and elevated privilege context as an escalation indicator ↗
- ·Exploitation requires an authenticated OpenShift user with at minimum the standard 'edit' role in a single namespace — lower-privileged users cannot exploit this directly ↗
- ·Mitigation (not a fix): Update cluster RBAC to remove exec permissions into virt-launcher pods to break the exploitation chain ↗
- ·Affected component is container-native-virtualization/virt-handler-rhel9 under Red Hat OpenShift Virtualization 4; scope is limited to environments running KubeVirt's virt-handler ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
KubeVirt has a Link Following vulnerability
ghsa·2026-05-26
CVE-2026-7374 [CRITICAL] CWE-59 KubeVirt has a Link Following vulnerability
KubeVirt has a Link Following vulnerability
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
GHSA
GHSA-7jcp-v9w4-wjmg: A flaw was found in KubeVirt's virt-handler component
ghsa_unreviewed·2026-05-26
CVE-2026-7374 [CRITICAL] CWE-59 GHSA-7jcp-v9w4-wjmg: A flaw was found in KubeVirt's virt-handler component
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
Red Hat
kubevirt: KubeVirt virt-handler: Privilege escalation and node compromise via symlink following vulnerability
vendor_redhat·2026-05-26·CVSS 9.9
CVE-2026-7374 [CRITICAL] CWE-59 kubevirt: KubeVirt virt-handler: Privilege escalation and node compromise via symlink following vulnerability
kubevirt: KubeVirt virt-handler: Privilege escalation and node compromise via symlink following vulnerability
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
Statement: This is an Important privilege escalation flaw in KubeVirt's virt-handler component. An authenticated OpenShift user with edit permissio
No detection rules found.
No public exploits indexed.
https://access.redhat.com/errata/RHSA-2026:20720https://access.redhat.com/errata/RHSA-2026:20736https://access.redhat.com/errata/RHSA-2026:20763https://access.redhat.com/errata/RHSA-2026:20767https://access.redhat.com/errata/RHSA-2026:20782https://access.redhat.com/errata/RHSA-2026:20825https://access.redhat.com/errata/RHSA-2026:20866https://access.redhat.com/errata/RHSA-2026:20886https://access.redhat.com/errata/RHSA-2026:20890https://access.redhat.com/errata/RHSA-2026:20975https://access.redhat.com/security/cve/CVE-2026-7374https://bugzilla.redhat.com/show_bug.cgi?id=2463728https://access.redhat.com/errata/RHSA-2026:20720https://access.redhat.com/errata/RHSA-2026:20736https://access.redhat.com/errata/RHSA-2026:20763https://access.redhat.com/errata/RHSA-2026:20767https://access.redhat.com/errata/RHSA-2026:20782https://access.redhat.com/errata/RHSA-2026:20825https://access.redhat.com/errata/RHSA-2026:20866https://access.redhat.com/errata/RHSA-2026:20886https://access.redhat.com/errata/RHSA-2026:20890https://access.redhat.com/errata/RHSA-2026:20975https://access.redhat.com/security/cve/CVE-2026-7374https://bugzilla.redhat.com/show_bug.cgi?id=2463728https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7374.json
2026-05-26
Published