{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-13218","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-06-24T15:29:58.096Z","datePublished":"2026-06-25T23:23:23.228Z","dateUpdated":"2026-06-26T14:58:48.021Z"},"containers":{"cna":{"title":"Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"LOW","baseScore":4.2,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in KubeVirt's virt-handler network cache handling. The WriteToCachedFile function writes data to a launcher-rooted path using os.WriteFile and os.Chown without symlink protection. A user with access to the virt-launcher container can plant a symlink at the cache file path, causing virt-handler to follow it and overwrite an arbitrary host file with JSON content and change its ownership."}],"affected":[{"vendor":"Red Hat","product":"Red Hat OpenShift Virtualization 4","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"container-native-virtualization/virt-handler","defaultStatus":"affected","cpes":["cpe:/a:redhat:container_native_virtualization:4"]},{"vendor":"Red Hat","product":"Red Hat OpenShift Virtualization 4","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","cpes":["cpe:/a:redhat:container_native_virtualization:4"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-13218","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492654","name":"RHBZ#2492654","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-06-25T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-61","description":"UNIX Symbolic Link (Symlink) Following","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-61: UNIX Symbolic Link (Symlink) Following","workarounds":[{"lang":"en","value":"Ensure virtual machines use the default masquerade network binding mode where possible. Restrict pods/exec access on virt-launcher pods to only trusted administrators. Review and restrict NetworkAttachmentDefinition resources to limit which namespaces can configure bridge-type network interfaces."}],"timeline":[{"lang":"en","time":"2026-06-24T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-25T00:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"This issue was discovered by Huzaifa Sidhpurwala (Red Hat)."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-25T23:23:23.228Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-26T14:58:08.187830Z","id":"CVE-2026-13218","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-26T14:58:48.021Z"}}]}}