CVE-2026-13208
MEDIUM 6.5A flaw was found in KubeVirt's virt-handler domain notify server. The gRPC handlers for HandleDomainEvent and HandleK8SEvent derive the VMI identity (namespace/name) solely from the request body without validating it against the connection's origin. Each virt-launcher pod connects through a per-VMI pipe socket, but no identity tag is propagated from the pipe path to the server handlers. This allows a compromised virt-launcher process to send forged domain lifecycle events for any other VMI scheduled on the same node, causing virt-handler to erroneously update that VMI's state and disrupt its lifecycle management.
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 1st percentile
Impact if exploited
6.5CVSS 3.1 · MEDIUM
- ConfidentialityNone
- IntegrityNone
- AvailabilityHigh
What an attacker needs
- ⚠Access: Requires local access to the host
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-287: Improper authentication
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H