CVE Catalog

CVE-2026-13322

LowCVSS 3.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

Risk Assessment

The risk is the possibility of a denial of service (DoS) attack on the KubeVirt host by exhausting the memory of the virt-handler process, which can disrupt the operation of other virtual machines and the entire cluster.

Recommendation

It is recommended to immediately apply patches provided by the KubeVirt project and restrict access to the downward metrics virtio-serial device only to trusted virtual machines.

Original NVD description (English source)

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS