Moderate severityNVD Advisory· Published Nov 7, 2025· Updated Nov 10, 2025
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
CVE-2025-64436
Description
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kubevirt.io/kubevirtGo | < 1.7.0 | 1.7.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7xgm-5prm-v5gcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64436ghsaADVISORY
- github.com/kubevirt/kubevirt/security/advisories/GHSA-7xgm-5prm-v5gcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.