CVE-2025-64434: 
NixOS vulnerability analysis and mitigation

KubeVirt, a virtual machine management add-on for Kubernetes, was found to contain a security vulnerability (CVE-2025-64434) affecting versions prior to 1.5.3 and 1.6.1. The vulnerability was disclosed on November 6, 2025, and involves improper TLS certificate management that could allow a compromised virt-handler instance to impersonate virt-api (GitHub Advisory).

The vulnerability stems from improper TLS client certificate validation within the KubeVirt virt-handler component. The core issue is that virt-handler cannot differentiate between mTLS connections originating from the privileged virt-api server and those from other virt-handler instances because both use client certificates with the same Subject Common Name (CN): kubevirt.io:system:client:virt-handler. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory, Miggo).

Due to the peer verification logic in virt-handler (via verifyPeerCert), an attacker who compromises a virt-handler instance could exploit these shared credentials to impersonate virt-api and execute privileged operations against other virt-handler instances. This could potentially compromise the integrity and availability of VMs managed by the affected virt-handler instances (GitHub Advisory).

The vulnerability has been fixed in KubeVirt versions 1.5.3 and 1.6.1. Users are advised to upgrade to these patched versions to protect against this security issue (GitHub Advisory).