Medium6.5Red Hat Linux Updated
virt-handler notify server trusts VMI identity from unauthenticated gRPC request body
CVE-2026-13208 Published Jun 24, 2026Updated by vendor Jun 24, 2026
Affected products & platforms
Red Hat LinuxUnclassified
Summary
virt-handler notify server trusts VMI identity from unauthenticated gRPC request body. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-287.
Mitigation checklist
Recommended fix / mitigation
- Organizations can reduce exposure by: (1) restricting pods/exec permission on virt-launcher pods via admission policies (e.g., Gatekeeper or Kyverno rules denying exec on pods with the kubevirt.io launcher label), (2) using node affinity or dedicated node pools to isolate high-security tenant workloads from untrusted tenants, and (3) monitoring for unexpected VMI state transitions via cluster alerting.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.