CVE-2025-64324

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764	Patch
https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69	Patch
https://github.com/kubevirt/kubevirt/pull/15037	Issue Tracking
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:kubevirt:kubevirt::::::kubernetes::*
	cpe:2.3:a:kubevirt:kubevirt:1.7.0:alpha0::::kubernetes::*
	cpe:2.3:a:kubevirt:kubevirt:1.7.0:beta0::::kubernetes::*

History

No history.

Information

Published : 2025-11-18 23:15

Updated : 2025-11-25 17:16

NVD link : CVE-2025-64324

Mitre link : CVE-2025-64324

CVE.ORG link : CVE-2025-64324

JSON object : View

Products Affected

kubevirt

kubevirt

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-64324", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.5}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-18T23:15:55.293", "references": [{"url": "https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/pull/15037", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue."}], "lastModified": "2025-11-25T17:16:59.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kubevirt:kubevirt:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "734D7F12-338C-477B-90F1-36641690CE7E", "versionEndExcluding": "1.6.1"}, {"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.7.0:alpha0:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "6C13B76B-290B-4D75-AF75-54FEC43B75C4"}, {"criteria": "cpe:2.3:a:kubevirt:kubevirt:1.7.0:beta0:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "870D3714-CE8E-4D20-942F-7DD43D88F782"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}