cbcvebase.
CVE-2026-7374
published 2026-05-26

CVE-2026-7374: A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to…

PriorityP265critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.60%
44.0th percentile
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.

Affected

4 ranges
VendorProductVersion rangeFixed in
container-native-virtualizationvirt-handler-rhel9
kubevirt.iokubevirt>= 0 < 1.6.61.6.6
kubevirt.iokubevirt>= 1.7.0-alpha.0 < 1.7.41.7.4
kubevirt.iokubevirt>= 1.8.0-alpha.0 < 1.8.31.8.3

Detection & IOCsextracted from sources · hover to see the quote

  • Detect symlink replacement of VM console socket with a path pointing to the host CRI-O socket inside virt-launcher pods
  • Monitor for exec into virt-launcher pods by OpenShift users with edit role, as this is the initial access vector for exploitation
  • Alert on virt-handler process accessing unexpected Unix sockets on the host, particularly the CRI-O socket, which may indicate symlink-following exploitation
  • Audit filesystem activity within virt-launcher pods for symlink creation targeting host socket paths (e.g., CRI-O socket), as virt-handler follows paths without symlink validation
  • Flag virt-handler connections that traverse outside expected VM console socket directories, leveraging its hostPID and elevated privilege context as an escalation indicator
  • ·Exploitation requires an authenticated OpenShift user with at minimum the standard 'edit' role in a single namespace — lower-privileged users cannot exploit this directly
  • ·Mitigation (not a fix): Update cluster RBAC to remove exec permissions into virt-launcher pods to break the exploitation chain
  • ·Affected component is container-native-virtualization/virt-handler-rhel9 under Red Hat OpenShift Virtualization 4; scope is limited to environments running KubeVirt's virt-handler

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.9CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.