cvedb.io
CVE-2025-64324
HIGH · CVSS 7.7
EPSS exploitation probability: 0%
Published 2025-11-18T23:15:55.293 · Last modified 2026-06-17T09:54:12.690

Summary

KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

Affected products

kubevirt — kubevirt

Does this affect you?

Add your gear to cvedb and we'll alert you only when kubevirt ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.