AZL-69970

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69970.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-69970

Upstream

CVE-2025-64437

Published

2025-11-07T23:15:46Z

Modified

2026-04-01T05:21:40.107812Z

Summary

CVE-2025-64437 affecting package kubevirt for versions less than 0.59.0-33

Details

KubeVirt is a virtual machine management add-on for Kubernetes. In versions before 1.5.3 and 1.6.1, the virt-handler does not verify whether the launcher-sock is a symlink or a regular file. This oversight can be exploited, for example, to change the ownership of arbitrary files on the host node to the unprivileged user with UID 107 (the same user used by virt-launcher) thus, compromising the CIA (Confidentiality, Integrity and Availability) of data on the host. To successfully exploit this vulnerability, an attacker should be in control of the file system of the virt-launcher pod. This vulnerability is fixed in 1.5.3 and 1.6.1.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-64437

Affected packages

Azure Linux:2 / kubevirt

Package

Name: kubevirt
Purl: pkg:rpm/azure-linux/kubevirt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.59.0-33

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69970.json"