CVE-2025-64436
MEDIUMKubeVirt < 1.5.3 - Improper Privilege Management via Virt-Handler Service Account
Title source: llmDescription
KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-7xgm-5prm-v5gc
Scores
CVSS v3
5.3
EPSS
0.0023
EPSS Percentile
13.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-269
CWE-276
Status
published
Products (2)
kubevirt/kubevirt
< 1.5.3
kubevirt.io/kubevirt
0 - 1.7.0Go
Published
Nov 07, 2025
Tracked Since
Feb 18, 2026