CVE-2026-13201 | A flaw was found in KubeVirt's safepath package. The OpenAtN… | CVSS 5.2 MEDIUM

Description

A flaw was found in KubeVirt's safepath package. The OpenAtNoFollow function uses O_PATH|O_NOFOLLOW to obtain a file descriptor to a path leaf, but downstream helpers operate via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel dereferences it, defeating the intended no-follow protection. An attacker with access to a virt-launcher pod can exploit this to cause virt-handler to apply file ownership or permission changes to an unintended host path.

Metadata

CVE ID: CVE-2026-13201
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-24 13:58 UTC
Published: 2026-06-24 20:39 UTC
Last updated: 2026-06-24 20:39 UTC
Primary CWE: CWE-61
UNIX Symbolic Link (Symlink) Following
Vendor / Product: Red Hat / Red Hat OpenShift Virtualization 4
Sources: cve.org · NVD

Severity & Metrics

5.2 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Affected products (2)

Vendor	Product	Platform	Versions
Red Hat	Red Hat OpenShift Virtualization 4	—	—
Red Hat	Red Hat OpenShift Virtualization 4	—	—

Weakness (CWE)

CWE	Source	Description
CWE-61	cna	UNIX Symbolic Link (Symlink) Following

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.2	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

References (2)