Path Traversal vulnerability in Kubevirt
Description
A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubeVirt versions up to 0.56 contain a path traversal vulnerability allowing users to read arbitrary host files readable by UID/GID 107.
Vulnerability
Description
CVE-2022-1798 is a path traversal vulnerability in KubeVirt, a virtual machine management add-on for Kubernetes [2]. The flaw exists in KubeVirt versions up to 0.56 and 0.55.1, and allows a user who can configure a VirtualMachineInstance (VMI) to read arbitrary files from the host filesystem [1][3]. The read operations are limited to files that are publicly readable or readable by UID 107 or GID 107; notably, /proc/self/ is not accessible [3].
Exploitation
Details
An attacker with permission to create VMIs can craft a malicious VMI specification that includes relative path traversal sequences (e.g., test3/../../../../../../../../etc/passwd) in fields such as spec.volumes[*].containerDisk.path [4]. When the VMI is launched, the traversed path is mounted into the virt-launcher pod, making the target host file accessible as a block device inside the VM [3]. Additionally, symlinks placed inside a containerDisk image or hotplugged PVC can achieve the same effect, as the code paths for containerDisk and hotplug share the same mechanism [4].
Impact
Successful exploitation allows an attacker to read sensitive host files, such as /etc/passwd, that are world-readable or readable by UID/GID 107 [3][4]. While the vulnerability does not grant write access and is limited by file permissions, it can be used to gather information about the host system, potentially aiding further attacks. SELinux may provide partial mitigation in environments where it is enforced [3].
Mitigation
The vulnerability was patched in KubeVirt releases after 0.56. Users should upgrade to a fixed version [1][4]. No workaround is available other than upgrading or restricting the ability to create VMIs to trusted users only.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kubevirt.io/kubevirtGo | >= 0.20.0, < 0.55.1 | 0.55.1 |
Affected products
6- ghsa-coords5 versionspkg:golang/kubevirt.io/kubevirtpkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4
>= 0.20.0, < 0.55.1+ 4 more
- (no CPE)range: >= 0.20.0, < 0.55.1
- (no CPE)range: < 0.49.0-150300.8.13.1
- (no CPE)range: < 0.54.0-150400.3.3.2
- (no CPE)range: < 0.49.0-150300.8.13.1
- (no CPE)range: < 0.54.0-150400.3.3.2
- Google LLC/Kubevirtv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cvx8-ppmc-78hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1798ghsaADVISORY
- github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hmghsaWEB
- github.com/kubevirt/kubevirt/security/advisories/GHSA-qv98-3369-g364ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.