VYPR
Moderate severityNVD Advisory· Published Nov 7, 2025· Updated Nov 10, 2025

KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing

CVE-2025-64434

Description

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance, could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances potentially compromising the integrity and availability of the VM managed by it. This vulnerability is fixed in 1.5.3 and 1.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
kubevirt.io/kubevirtGo
< 1.5.31.5.3
kubevirt.io/kubevirtGo
>= 1.6.0-alpha.0, < 1.6.11.6.1

Affected products

9

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.