CVE-2025-64433: 
NixOS vulnerability analysis and mitigation

CVE-2025-64433 affects KubeVirt, a virtual machine management add-on for Kubernetes, in versions prior to 1.5.3 and 1.6.1. The vulnerability was discovered and disclosed on November 6, 2025, allowing a VM to read arbitrary files from the virt-launcher pod's file system through improper symlink handling when mounting PVC disks into a VM (GitHub Advisory).

The vulnerability stems from improper symlink handling when mounting PVC disks into a VM. If a malicious user has control over a PVC's contents, they can create symbolic links pointing to files within the virt-launcher pod's file system. Since libvirt can treat regular files as block devices, any symlinked file can be mounted into the VM and read. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector with low complexity and required privileges (GitHub Advisory).

This vulnerability breaches the container-to-VM isolation boundary, compromising the confidentiality of storage data. Although VMs are executed as an unprivileged user with UID 107 inside the virt-launcher container to limit accessible resources, this restriction is bypassed due to a second vulnerability that changes the ownership of mounted files to the unprivileged user prior to mounting (GitHub Advisory).

The vulnerability has been fixed in KubeVirt versions 1.5.3, 1.6.1, and 1.7.0. Users should upgrade to these patched versions to mitigate the risk. The fix involves implementing proper symlink handling and containment of disks inside volumes (GitHub Advisory).