The vulnerability exists in KubeVirt's migration proxy component of Red Hat OpenShift Virtualization 4. If spec.configuration.migrations.disableTLS is set to true, the virt-handler binds a plain TCP listener on 0.0.0.0 (all interfaces) on a random port without any authentication or access control. This listener proxies directly to the virt-launcher's virtqemud control socket, enabling an attacker with a pod on the cluster network to send unfiltered libvirt RPC commands to other tenants' VMs. This can result in reading VM memory and configuration, modifying VM state, or destroying the VM. The bind address is always 0.0.0.0, so the port is reachable on the pod network regardless of migration network configuration. The API documentation only mentions removal of encryption when disabling TLS but does not disclose the removal of mutual authentication, leading to this critical security flaw.

An attacker with a running pod on the cluster network can connect to the unauthenticated migration proxy listener and issue unrestricted libvirt RPC commands against other tenants' virtual machines. This can lead to full compromise of VM confidentiality (reading VM memory and configuration), integrity (modifying VM state), and availability (destroying the VM). The vulnerability affects multi-tenant environments where pods share the cluster network, exposing critical VM control interfaces without authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid setting spec.configuration.migrations.disableTLS to true, as this disables all mutual authentication and exposes the migration proxy listener to unauthenticated access. Configure migration settings carefully and monitor Red Hat's advisory at https://access.redhat.com/security/cve/CVE-2026-13325 for updates and official patches.