Home > Vulnerability Database > CVE-2025-64324

Mend.io Vulnerability Database

CVE-2025-64324

Good to know:

Date: November 18, 2025

KubeVirt is a virtual machine management add-on for Kubernetes. The "hostDisk" feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the "DiskOrCreate" option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.

Severity Score

7.7

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64324

Url: https://github.com/kubevirt/kubevirt/security/advisories/GHSA-46xp-26xh-hpqh

Url: https://github.com/kubevirt/kubevirt/commit/ff3b69b08b6b9c8d08d23735ca8d82455f790a69

Url: https://github.com/kubevirt/kubevirt

Url: https://github.com/kubevirt/kubevirt/pull/15037

Url: https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764

Url: https://www.mend.io/vulnerability-database/CVE-2025-64324

Severity Score

7.7

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Write-what-where Condition

CWE-123

Incorrect Permission Assignment for Critical Resource

CWE-732

Top Fix

Upgrade Version

Upgrade to version kubevirt.io/kubevirt - v1.6.1;kubevirt.io/kubevirt - v1.7.0-rc.0;https://github.com/kubevirt/kubevirt.git - v1.6.1

Learn More

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64324

Good to know:

Date: November 18, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?