Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-13325
PUBLISHED
More InfoOfficial Page
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
View Known Exploited Vulnerability (KEV) details
Published At-26 Jun, 2026 | 10:41
Updated At-26 Jun, 2026 | 18:42
Rejected At-
▼CVE Numbering Authority (CNA)
Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces

A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener proxies directly into the target virt-launcher's virtqemud control socket. An attacker with a running pod on the cluster network can connect to this listener and issue unfiltered libvirt RPC commands against another tenant's virtual machine, including reading VM memory and configuration, modifying VM state via QMP, or destroying the VM. The bind address is unconditionally 0.0.0.0 — configuring a dedicated migration network via migrations.network only changes the advertised migration IP, not the listener bind address, so the port remains reachable on the pod network even when a dedicated migration network is configured. The API documentation describes disableTLS as removing "the additional layer of live migration encryption" without disclosing that it also removes all mutual authentication.

Affected Products
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenShift Virtualization 4
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
container-native-virtualization/virt-handler
CPEs
  • cpe:/a:redhat:container_native_virtualization:4
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenShift Virtualization 4
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
container-native-virtualization/virt-handler-rhel9
CPEs
  • cpe:/a:redhat:container_native_virtualization:4
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-306Missing Authentication for Critical Function
Type: CWE
CWE ID: CWE-306
Description: Missing Authentication for Critical Function
Metrics
VersionBase scoreBase severityVector
3.18.5HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 8.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Do not set spec.configuration.migrations.disableTLS to true on the KubeVirt custom resource. The default value (false) enforces mutual TLS authentication on migration proxy connections and fully prevents this attack. If disableTLS must remain enabled for operational reasons, deploy Kubernetes NetworkPolicies restricting ingress to virt-handler pods to only allow connections from other virt-handler and virt-launcher pods. Note that configuring a dedicated migration network via migrations.network alone does not mitigate this flaw, as the listener binds on all interfaces regardless of the migration network configuration.

Exploits

Credits

This issue was discovered by Huzaifa Sidhpurwala (Red Hat).
Timeline
EventDate
Reported to Red Hat.2026-06-26 00:00:00
Made public.2026-06-26 10:17:00
Event: Reported to Red Hat.
Date: 2026-06-26 00:00:00
Event: Made public.
Date: 2026-06-26 10:17:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-13325
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2493378
issue-tracking
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-13325
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2493378
Resource:
issue-tracking
x_refsource_REDHAT
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found