Description

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

INFO

Published Date :

2025-11-18T22:10:19.661Z

Last Modified :

2026-02-26T16:21:07.132Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64324 vulnerability.

Vendors Products
Kubevirt
  • Kubevirt
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64324.

URL Resource
https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764 cve-icon cve-icon cve-icon
https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69 cve-icon cve-icon cve-icon
https://github.com/kubevirt/kubevirt/pull/15037 cve-icon cve-icon cve-icon
https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64324 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64324 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact