High7.3Vendor: MediumRed Hat Linux Updated
safepath symlink following in virt-handler enables notify socket hijacking and node-level VM disruption
CVE-2026-13201 Published Jun 24, 2026Updated by vendor Jun 24, 2026
Affected products & platforms
Red Hat LinuxUnclassified
Summary
safepath symlink following in virt-handler enables notify socket hijacking and node-level VM disruption. Red Hat rates this moderate (CVSS 7.3). Weakness: CWE-61.
Mitigation checklist
Recommended fix / mitigation
- The following measures reduce the attacker pool and limit secondary impact: Review RBAC policies to restrict pods/exec permissions on virt-launcher pods to only those users who strictly require it. This reduces the number of identities that can place symlinks in the launcher filesystem. Ensure SELinux is in enforcing mode (default in OpenShift). While SELinux does not prevent the notify socket hijacking path, it restricts the set of host files targetable through the chown/chmod path by blocking operations on files with protected security labels. RHCOS immutable filesystem layers prevent modification of core OS files through the chown/chmod path. Note: no mitigation currently addresses the notify socket hijacking vector. The attacker's ability to inject domain events into virt-handler is not constrained by SELinux or filesystem immutability.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.