unbounded virtio-serial ReadLine in virt-handler causes OOM denial of service
Summary
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. Red Hat has rated this issue as having Low security impact. The vulnerable code runs in virt-handler, a node-level DaemonSet; however, in OpenShift Virtualization, cgroup memory limits ensure the OOM kill is contained to the virt-handler pod and does not affect the node kernel or kubelet. Running VM workloads (QEMU processes) survive independently and continue operating — only management operations (live migration, graceful shutdown, monitoring updates) are temporarily disrupted. An administrator can recover by deleting the offending VirtualMachineInstance, after which virt-handler resumes normal operation on its next restart. The attack surface is limited to VMIs that explicitly configure a downwardMetrics virtio-serial device, which is not part of the default VM configuration. The blast radius is confined to a single node. Red Hat severity: Low — CVSS 3.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L). Weakness: CWE-770. Affected Red Hat products: Red Hat OpenShift Virtualization 4. Red Hat does not currently list a fixing RHSA for this CVE.
Mitigation checklist
- The downward metrics virtio-serial device must be explicitly added to a VM's specification to be present. Clusters that do not use this feature are not exposed. To reduce exposure, administrators can restrict the ability to configure downward metrics devices on tenant VMs by using an admission webhook or policy controller such as Gatekeeper/OPA.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.