CVE Catalog

CVE-2026-13434

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A flaw in KubeVirt's network annotation generator allows a tenant with kubevirt.io:edit permissions to inject JSON into the v1.multus-cni.io/default-network annotation due to missing validation. When the ExternalNetResourceInjection feature gate is enabled (off by default), Multus can attach the pod to any network in any namespace.

Risk Assessment

The organization risks unauthorized cross-namespace network access and IP/MAC impersonation, breaking network isolation and enabling privilege escalation in multi-tenant environments.

Recommendation

Disable the ExternalNetResourceInjection feature gate if not needed, and update KubeVirt to a patched version. For OpenShift Virtualization 4.21+, apply the relevant security fixes.

Original NVD description (English source)

A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS