CVE-2026-13322 | A flaw was found in KubeVirt's downward metrics virtio-seria… | CVSS 3.8 LOW

Description

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.

Metadata

CVE ID: CVE-2026-13322
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-25 08:58 UTC
Published: 2026-06-26 00:04 UTC
Last updated: 2026-06-26 00:04 UTC
Primary CWE: CWE-770
Allocation of Resources Without Limits or Throttling
Vendor / Product: Red Hat / Red Hat OpenShift Virtualization 4
Sources: cve.org · NVD

Severity & Metrics

3.8 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

Affected products (2)

Vendor	Product	Platform	Versions
Red Hat	Red Hat OpenShift Virtualization 4	—	—
Red Hat	Red Hat OpenShift Virtualization 4	—	—

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
3.8	LOW	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

References (2)