CVE-2026-7374: KubeVirt virt-handler Symlink Flaw Enables Full Cluster Takeover

"A critical (CVSS 9.9) symlink validation flaw in KubeVirt's virt-handler component lets a low-privileged OpenShift user escalate from a single namespace to full control of the node and entire cluster."

A critical (CVSS 9.9) symlink validation flaw in KubeVirt's virt-handler component lets a low-privileged OpenShift user escalate from a single namespace to full control of the node and entire cluster.

What Is It

CVE-2026-7374 is an improper symlink validation vulnerability (CWE-59) in the virt-handler component of KubeVirt. When virt-handler connects to a virtual machine console socket, it does not properly validate that the socket path is not a symlink. An authenticated OpenShift user with edit permissions in a single namespace can replace the console socket with a symlink pointing to the host's container runtime (CRI-O) socket. Virt-handler then follows the symlink and connects with its own privileges, allowing the attacker to hijack that privileged connection and reach any Unix socket on the host.

Why It Matters

The CVSS 3.1 base score is 9.9 (CRITICAL), with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, network attack vector, low complexity, only low privileges required, no user interaction, and a changed scope with high impact to confidentiality, integrity, and availability. The exploit collapses Kubernetes' multi-tenant isolation model: a tenant who only has edit rights inside one namespace can pivot to the underlying node's CRI-O socket and from there compromise the whole cluster. There is no current CISA KEV entry confirming active in-the-wild exploitation, but the privilege boundary being crossed makes this a high-priority issue for any OpenShift environment running KubeVirt.

What's Vulnerable

KubeVirt's virt-handler component, as shipped in OpenShift environments
Clusters where users are granted namespace-scoped edit permissions and KubeVirt VM consoles are in use

NVD has not yet enumerated affected CPEs (status: Awaiting Analysis); consult the Red Hat advisory for the authoritative version matrix.

Patch Status

CVE-2026-7374 was published on 2026-05-26 and is currently Awaiting Analysis at NVD. Red Hat is tracking the issue under Bugzilla 2463728 and has assigned the CVE via its security advisory; refer to the Red Hat security page below for fixed package versions and remediation guidance specific to OpenShift Virtualization.

Sources

Red Hat Security Advisory; https://access.redhat.com/security/cve/CVE-2026-7374
Red Hat Bugzilla 2463728; https://bugzilla.redhat.com/show_bug.cgi?id=2463728
NVD CVE-2026-7374; https://nvd.nist.gov/vuln/detail/CVE-2026-7374