CVE-2026-13201: UNIX Symbolic Link (Symlink) Following in Red Hat Red Hat OpenShift Virtualization 4
CVE-2026-13201 is a medium severity vulnerability in Red Hat OpenShift Virtualization 4 related to symbolic link (symlink) following. The flaw exists in KubeVirt's safepath package where the OpenAtNoFollow function attempts to prevent symlink dereferencing but downstream operations still follow symlinks via /proc/self/fd/N. This allows an attacker with access to a virt-launcher pod to cause virt-handler to incorrectly apply file ownership or permission changes to unintended host paths.
AI Analysis
Technical Summary
The vulnerability in Red Hat OpenShift Virtualization 4 arises from KubeVirt's safepath package's OpenAtNoFollow function, which uses O_PATH|O_NOFOLLOW flags to obtain a file descriptor without following symlinks. However, subsequent helper functions operate through /proc/self/fd/N and invoke system calls that follow symlinks, defeating the no-follow protection. This discrepancy allows an attacker with access to a virt-launcher pod to exploit the symlink dereference to cause virt-handler to modify file ownership or permissions on unintended host filesystem paths, potentially impacting system integrity and availability.
Potential Impact
An attacker with access to a virt-launcher pod can exploit this vulnerability to cause virt-handler to apply file ownership or permission changes to unintended host paths. This can lead to unauthorized modification of host filesystem permissions or ownership, potentially disrupting system operations or enabling further privilege escalation. The CVSS score of 5.2 reflects a medium severity with limited attack vector (local), low complexity, and no user interaction required, but with a scope change and impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-13201 for current remediation guidance. No official fix or workaround is explicitly stated in the provided advisory content. Until a patch is available, restrict access to virt-launcher pods to trusted users only and monitor for suspicious activity related to file permission or ownership changes on the host. Follow Red Hat's official guidance once published.
CVE-2026-13201: UNIX Symbolic Link (Symlink) Following in Red Hat Red Hat OpenShift Virtualization 4
Description
CVE-2026-13201 is a medium severity vulnerability in Red Hat OpenShift Virtualization 4 related to symbolic link (symlink) following. The flaw exists in KubeVirt's safepath package where the OpenAtNoFollow function attempts to prevent symlink dereferencing but downstream operations still follow symlinks via /proc/self/fd/N. This allows an attacker with access to a virt-launcher pod to cause virt-handler to incorrectly apply file ownership or permission changes to unintended host paths.
CVSS v3.1
Score 5.2medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat OpenShift Virtualization 4 arises from KubeVirt's safepath package's OpenAtNoFollow function, which uses O_PATH|O_NOFOLLOW flags to obtain a file descriptor without following symlinks. However, subsequent helper functions operate through /proc/self/fd/N and invoke system calls that follow symlinks, defeating the no-follow protection. This discrepancy allows an attacker with access to a virt-launcher pod to exploit the symlink dereference to cause virt-handler to modify file ownership or permissions on unintended host filesystem paths, potentially impacting system integrity and availability.
Potential Impact
An attacker with access to a virt-launcher pod can exploit this vulnerability to cause virt-handler to apply file ownership or permission changes to unintended host paths. This can lead to unauthorized modification of host filesystem permissions or ownership, potentially disrupting system operations or enabling further privilege escalation. The CVSS score of 5.2 reflects a medium severity with limited attack vector (local), low complexity, and no user interaction required, but with a scope change and impact on integrity and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-13201 for current remediation guidance. No official fix or workaround is explicitly stated in the provided advisory content. Until a patch is available, restrict access to virt-launcher pods to trusted users only and monitor for suspicious activity related to file permission or ownership changes on the host. Follow Red Hat's official guidance once published.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-24T13:58:29.925Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-13201","vendor":"Red Hat"}]
Threat ID: 6a3c4ce14853345fc1df8cd5
Added to database: 06/24/2026, 21:32:17 UTC
Last enriched: 06/24/2026, 21:47:26 UTC
Last updated: 06/25/2026, 02:35:04 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.