CVE-2026-7374
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
A flaw in KubeVirt's virt-handler component allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's CRI-O socket, the attacker can hijack virt-handler's privileged connection, gaining access to any Unix socket on the host, potentially leading to full node and cluster compromise.
Risk Assessment
The risk to the organization is critical – an attacker can gain full control over the entire Kubernetes cluster, compromising the confidentiality, integrity, and availability of all workloads and data.
Recommendation
Immediately update KubeVirt to a patched version and restrict edit permissions in namespaces to the minimum necessary.
Original NVD description (English source)
A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.

