CVE-2026-13322 in OpenShift Virtualization
Summary
by MITRE • 06/26/2026
A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine(), which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the downward metrics virtio-serial device configured can write a continuous byte stream to the device, causing unbounded memory allocation in the virt-handler process until it is OOM-killed.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability resides within KubeVirt's implementation of downward metrics functionality through the virtio-serial server component that facilitates communication between virtual machine guests and the host control plane. This specific flaw manifests in the processing logic where textproto.Reader.ReadLine() is employed to read incoming data streams from guest VMs connected via the downward metrics virtio-serial device. The implementation lacks any form of input validation or buffer limitation mechanisms, creating a fundamental security weakness that directly violates secure coding practices and industry standards such as CWE-704 which addresses improper input handling in network protocols.
The technical exploitation occurs when a malicious user with access to a VM guest that has the downward metrics virtio-serial device properly configured can continuously write data to this communication channel without any imposed limits on data size or read duration. The textproto.Reader.ReadLine() function processes input by buffering bytes indefinitely until it encounters a newline character, creating an unbounded memory consumption pattern where each continuous byte stream causes progressive memory allocation within the virt-handler process. This memory exhaustion vulnerability directly maps to CWE-400 which covers unrestricted resource consumption and represents a classic denial-of-service scenario that can be triggered through simple network communication patterns.
The operational impact of this vulnerability extends beyond simple service disruption as it creates a persistent threat vector that can be exploited by any user with guest VM access, potentially leading to complete system instability within the Kubernetes cluster. The virt-handler process becomes vulnerable to out-of-memory conditions that result in automatic termination and subsequent restart cycles, creating cascading failures across the virtualization infrastructure. This vulnerability directly aligns with ATT&CK technique T1499.004 which covers network denial of service attacks, and represents a significant risk to cluster availability and guest VM stability in production environments.
Mitigation strategies must address both immediate protection and long-term architectural improvements to prevent similar vulnerabilities from emerging in future implementations. The most direct approach involves implementing explicit read timeouts and maximum buffer size limitations within the textproto.Reader.ReadLine() processing logic to prevent indefinite memory allocation. Additionally, input validation should be enforced to limit the maximum length of data that can be processed through the virtio-serial communication channel. Organizations should also consider implementing resource limits and memory constraints on the virt-handler process to provide additional defense-in-depth measures. The fix should align with secure coding guidelines from NIST SP 800-160 and OWASP Top 10 practices, particularly focusing on input validation and resource management controls that prevent unbounded growth patterns in critical system components.