11{
22 "schema_version" : " 1.4.0" ,
33 "id" : " GHSA-7jcp-v9w4-wjmg" ,
4- "modified" : " 2026-05-28T03:31:15Z " ,
4+ "modified" : " 2026-06-30T18:04:04Z " ,
55 "published" : " 2026-05-26T15:32:10Z" ,
66 "aliases" : [
77 " CVE-2026-7374"
88 ],
9+ "summary" : " KubeVirt has a Link Following vulnerability" ,
910 "details" : " A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster." ,
1011 "severity" : [
1112 {
1213 "type" : " CVSS_V3" ,
1314 "score" : " CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
1415 }
1516 ],
16- "affected" : [],
17+ "affected" : [
18+ {
19+ "package" : {
20+ "ecosystem" : " Go" ,
21+ "name" : " kubevirt.io/kubevirt"
22+ },
23+ "ranges" : [
24+ {
25+ "type" : " ECOSYSTEM" ,
26+ "events" : [
27+ {
28+ "introduced" : " 1.8.0-alpha.0"
29+ },
30+ {
31+ "fixed" : " 1.8.3"
32+ }
33+ ]
34+ }
35+ ]
36+ },
37+ {
38+ "package" : {
39+ "ecosystem" : " Go" ,
40+ "name" : " kubevirt.io/kubevirt"
41+ },
42+ "ranges" : [
43+ {
44+ "type" : " ECOSYSTEM" ,
45+ "events" : [
46+ {
47+ "introduced" : " 1.7.0-alpha.0"
48+ },
49+ {
50+ "fixed" : " 1.7.4"
51+ }
52+ ]
53+ }
54+ ]
55+ },
56+ {
57+ "package" : {
58+ "ecosystem" : " Go" ,
59+ "name" : " kubevirt.io/kubevirt"
60+ },
61+ "ranges" : [
62+ {
63+ "type" : " ECOSYSTEM" ,
64+ "events" : [
65+ {
66+ "introduced" : " 0"
67+ },
68+ {
69+ "fixed" : " 1.6.6"
70+ }
71+ ]
72+ }
73+ ]
74+ }
75+ ],
1776 "references" : [
1877 {
1978 "type" : " ADVISORY" ,
2079 "url" : " https://nvd.nist.gov/vuln/detail/CVE-2026-7374"
2180 },
2281 {
2382 "type" : " WEB" ,
24- "url" : " https://access.redhat. com/errata/RHSA-2026:20720 "
83+ "url" : " https://github. com/kubevirt/kubevirt/pull/17916 "
2584 },
2685 {
2786 "type" : " WEB" ,
28- "url" : " https://access.redhat. com/errata/RHSA-2026:20736 "
87+ "url" : " https://github. com/kubevirt/kubevirt/commit/011eef8129e2c21e0ea496f283ee1676009bc757 "
2988 },
3089 {
3190 "type" : " WEB" ,
32- "url" : " https://access.redhat.com/errata/RHSA-2026:20763"
91+ "url" : " https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-7374.json"
92+ },
93+ {
94+ "type" : " PACKAGE" ,
95+ "url" : " https://github.com/kubevirt/kubevirt"
3396 },
3497 {
3598 "type" : " WEB" ,
36- "url" : " https://access .redhat.com/errata/RHSA-2026:20767 "
99+ "url" : " https://bugzilla .redhat.com/show_bug.cgi?id=2463728 "
37100 },
38101 {
39102 "type" : " WEB" ,
40- "url" : " https://access.redhat.com/errata/RHSA -2026:20782 "
103+ "url" : " https://access.redhat.com/security/cve/CVE -2026-7374 "
41104 },
42105 {
43106 "type" : " WEB" ,
44- "url" : " https://access.redhat.com/errata/RHSA-2026:20825 "
107+ "url" : " https://access.redhat.com/errata/RHSA-2026:20975 "
45108 },
46109 {
47110 "type" : " WEB" ,
48- "url" : " https://access.redhat.com/errata/RHSA-2026:20866 "
111+ "url" : " https://access.redhat.com/errata/RHSA-2026:20890 "
49112 },
50113 {
51114 "type" : " WEB" ,
52115 "url" : " https://access.redhat.com/errata/RHSA-2026:20886"
53116 },
54117 {
55118 "type" : " WEB" ,
56- "url" : " https://access.redhat.com/errata/RHSA-2026:20890 "
119+ "url" : " https://access.redhat.com/errata/RHSA-2026:20866 "
57120 },
58121 {
59122 "type" : " WEB" ,
60- "url" : " https://access.redhat.com/errata/RHSA-2026:20975 "
123+ "url" : " https://access.redhat.com/errata/RHSA-2026:20825 "
61124 },
62125 {
63126 "type" : " WEB" ,
64- "url" : " https://access.redhat.com/security/cve/CVE -2026-7374 "
127+ "url" : " https://access.redhat.com/errata/RHSA -2026:20782 "
65128 },
66129 {
67130 "type" : " WEB" ,
68- "url" : " https://bugzilla.redhat.com/show_bug.cgi?id=2463728"
131+ "url" : " https://access.redhat.com/errata/RHSA-2026:20767"
132+ },
133+ {
134+ "type" : " WEB" ,
135+ "url" : " https://access.redhat.com/errata/RHSA-2026:20763"
136+ },
137+ {
138+ "type" : " WEB" ,
139+ "url" : " https://access.redhat.com/errata/RHSA-2026:20736"
140+ },
141+ {
142+ "type" : " WEB" ,
143+ "url" : " https://access.redhat.com/errata/RHSA-2026:20720"
69144 }
70145 ],
71146 "database_specific" : {
72147 "cwe_ids" : [
73148 " CWE-59"
74149 ],
75150 "severity" : " CRITICAL" ,
76- "github_reviewed" : false ,
77- "github_reviewed_at" : null ,
151+ "github_reviewed" : true ,
152+ "github_reviewed_at" : " 2026-06-30T18:04:03Z " ,
78153 "nvd_published_at" : " 2026-05-26T14:16:40Z"
79154 }
80155}
0 commit comments