CVE-2026-7374

ADVISORY - github

Summary

A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster.

EPSS Score: 0.00596 (0.442)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Improper Link Resolution Before File Access ('Link Following')

ADVISORY - github

Improper Link Resolution Before File Access ('Link Following')

ADVISORY - redhat

Improper Link Resolution Before File Access ('Link Following')


NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-7374
EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

9.9critical

GitHub

CREATED

UPDATED

EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

9.9critical

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-7374
EXPLOITABILITY SCORE

3.1

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

9.9high

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-qv62-2r4f-wr34

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-7v9q-f4jr-h4hh

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-vf3v-w73q-hh5v

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY