CVE-2026-7374

Vulnerability

A flaw in KubeVirt's virt-handler component allows improper symlink validation when connecting to virtual machine console sockets. An authenticated OpenShift user with edit permissions in a single namespace can exploit this by replacing the console socket with a symlink to the host's CRI-O socket. This affects KubeVirt versions prior to the fix [1][2].

Exploitation

The attacker needs authentication to an OpenShift cluster and the standard edit role in at least one namespace. They exec into the virt-launcher pod, replace the console socket file with a symlink pointing to the host's container runtime socket (e.g., /run/crio/crio.sock). When virt-handler connects to the VM console, it follows the symlink and connects to the CRI-O socket, hijacking the privileged connection [1][2].

Impact

Successful exploitation allows the attacker to access any Unix socket on the host via virt-handler's elevated privileges (hostPID and root). This can lead to full control of the node and potentially the entire cluster, as the attacker can issue commands to the container runtime and escape the namespace [1][2].

Mitigation

Red Hat has not yet released a fixed version. Users should monitor the KubeVirt project for updates. As a workaround, restrict edit permissions in namespaces or use security policies to prevent symlink attacks. No KEV listing known [1][2].