Moderate severityNVD Advisory· Published Nov 7, 2025· Updated Nov 10, 2025
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
CVE-2025-64436
Description
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kubevirt.io/kubevirtGo | < 1.7.0 | 1.7.0 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/virt-controller-fips-1.6pkg:apk/chainguard/virt-launcher-1.6pkg:apk/chainguard/virt-launcher-1.6-virt-freezerpkg:apk/chainguard/virt-launcher-1.6-virt-launcher-monitorpkg:apk/chainguard/virt-launcher-1.6-virt-tailpkg:apk/chainguard/virt-operator-fips-1.6pkg:golang/kubevirt.io/kubevirt
< 1.6.6-r2+ 6 more
- (no CPE)range: < 1.6.6-r2
- (no CPE)range: < 1.6.6-r3
- (no CPE)range: < 1.6.6-r3
- (no CPE)range: < 1.6.6-r3
- (no CPE)range: < 1.6.6-r3
- (no CPE)range: < 1.6.6-r2
- (no CPE)range: < 1.7.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-7xgm-5prm-v5gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64436ghsaADVISORY
- github.com/kubevirt/kubevirt/security/advisories/GHSA-7xgm-5prm-v5gcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.