{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7374","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-04-29T06:46:44.106Z","datePublished":"2026-05-26T13:14:53.851Z","dateUpdated":"2026-06-30T12:10:58.219Z"},"containers":{"cna":{"title":"Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.12","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler","defaultStatus":"affected","versions":[{"version":"1779375376","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.12::el8"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.13","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1778999881","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.13::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.14","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1779321599","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.14::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.15","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1778859977","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.15::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.16","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1778861274","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.16::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.17","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1779174925","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.17::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.18","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1778887155","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.18::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.19","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1779289071","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.19::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.20","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1779288737","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.20::el9"]},{"vendor":"Red Hat","product":"Red Hat Container Native Virtualization 4.21","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"container-native-virtualization/virt-handler-rhel9","defaultStatus":"affected","versions":[{"version":"1779420069","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:container_native_virtualization:4.21::el9"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:20720","name":"RHSA-2026:20720","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20736","name":"RHSA-2026:20736","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20763","name":"RHSA-2026:20763","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20767","name":"RHSA-2026:20767","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20782","name":"RHSA-2026:20782","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20825","name":"RHSA-2026:20825","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20866","name":"RHSA-2026:20866","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20886","name":"RHSA-2026:20886","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20890","name":"RHSA-2026:20890","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/errata/RHSA-2026:20975","name":"RHSA-2026:20975","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-7374","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463728","name":"RHBZ#2463728","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-05-26T12:30:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-59","description":"Improper Link Resolution Before File Access ('Link Following')","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-59: Improper Link Resolution Before File Access ('Link Following')","workarounds":[{"lang":"en","value":"Update cluster RBAC to not allow exec into virt-launcher pods."}],"timeline":[{"lang":"en","time":"2026-04-22T07:20:25.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-26T12:30:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"This issue was discovered by Sarah Bennert (Red Hat) and Stoyan Nikolov (Red Hat)."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-15T18:55:34.630Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-26T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-7374"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-27T03:55:39.340Z"}},{"affected":[{"cpes":["cpe:/a:redhat:container_native_virtualization:4.12::el8"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.12","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.13::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.13","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.14::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.14","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.15::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.15","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.16::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.16","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.17::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.17","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.18::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.18","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.19::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.19","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.20::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.20","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4.21::el9"],"defaultStatus":"affected","product":"Red Hat Container Native Virtualization 4.21","vendor":"Red Hat"}],"datePublic":"2026-05-26T12:30:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-59","description":"Improper Link Resolution Before File Access ('Link Following')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-7374"},{"name":"RHBZ#2463728","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463728"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7374.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20825"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20886"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20890"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20866"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20975"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20763"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20736"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20767"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20782"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:20720"}],"solutions":[{"lang":"en","value":"RHSA-2026:20825: Red Hat Container Native Virtualization 4.12"},{"lang":"en","value":"RHSA-2026:20886: Red Hat Container Native Virtualization 4.13"},{"lang":"en","value":"RHSA-2026:20890: Red Hat Container Native Virtualization 4.14"},{"lang":"en","value":"RHSA-2026:20866: Red Hat Container Native Virtualization 4.15"},{"lang":"en","value":"RHSA-2026:20975: Red Hat Container Native Virtualization 4.16"},{"lang":"en","value":"RHSA-2026:20763: Red Hat Container Native Virtualization 4.17"},{"lang":"en","value":"RHSA-2026:20736: Red Hat Container Native Virtualization 4.18"},{"lang":"en","value":"RHSA-2026:20767: Red Hat Container Native Virtualization 4.19"},{"lang":"en","value":"RHSA-2026:20782: Red Hat Container Native Virtualization 4.20"},{"lang":"en","value":"RHSA-2026:20720: Red Hat Container Native Virtualization 4.21"}],"timeline":[{"lang":"en","time":"2026-04-22T07:20:25.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-26T12:30:00.000Z","value":"Made public."}],"title":"kubevirt: KubeVirt virt-handler: Privilege escalation and node compromise via symlink following vulnerability","workarounds":[{"lang":"en","value":"Update cluster RBAC to not allow exec into virt-launcher pods."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:10:58.219Z"}}]}}