QwikSec

Security Database

CVE

CWE

Training

CVE-2025-64324

Published: Nov 18, 2025

Modified: Feb 26, 2026

PUBLISHED

Description

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

Vendor	Product	Versions
kubevirt	kubevirt	affected `0 - < 1.6.1` affected `1.7.0-alpha.0 - < 1.7.0-rc.0`

Weaknesses (CWE)

References

https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh

https://github.com/kubevirt/kubevirt/pull/15037

https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764

https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.