A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.
The vulnerability results from improper symlink validation (CWE-59) when establishing connections to virtual machine console sockets through the virt-handler component. An attacker replaces the console socket with a symbolic link (symlink) pointing to the CRI-O container runtime environment socket on the host. As a result, virt-handler, running with elevated privileges, unknowingly connects to the substituted socket, giving the attacker access to any Unix socket on the host.
An attacker can gain full control over a Kubernetes/OpenShift cluster node and subsequently expand the attack to the entire cluster, which includes compromising the confidentiality, integrity, and availability of all resources.
Apply patches available from the vendor according to the references (https://access.redhat.com/security/cve/CVE-2026-7374). As a temporary workaround, consider restricting edit permissions in namespaces to trusted users and monitoring access to virtual machine console sockets.
KubeVirt — virt-handler component running in OpenShift environments; specific versions indicated in vendor references (Red Hat Bugzilla #2463728)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H