CVE-2025-64436: 
NixOS vulnerability analysis and mitigation

KubeVirt, a virtual machine management add-on for Kubernetes, was found to have a vulnerability in versions 1.5.0 and earlier where the permissions granted to the virt-handler service account could be exploited. The vulnerability (CVE-2025-64436) was disclosed on November 6, 2025, and allows an attacker to force VMI (Virtual Machine Instance) migrations to an attacker-controlled node through the abuse of service account permissions (GitHub Advisory).

The vulnerability stems from excessive permissions granted to the virt-handler service account, which includes the ability to update VMI and patch nodes. The issue is tracked with a CVSS 4.0 Base Score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is associated with CWE-269 (Improper Privilege Management) and CWE-276 (Incorrect Default Permissions) (NVD).

An attacker who compromises a virt-handler service account can modify node labels across the cluster and manipulate the kubevirt.io/schedulable label. This allows them to mark nodes as unschedulable, forcing VMI instances to be scheduled exclusively on compromised nodes. Additionally, the attacker can update VMI resources cluster-wide, including those not running on the same node (GitHub Advisory).

A ValidatingAdmissionPolicy has been introduced to restrict which sections of node resources the virt-handler service account can modify. The spec section of nodes has been made immutable, and modifications to the labels section are now limited to kubevirt.io-prefixed labels only. Additionally, a security mechanism similar to kubelet's NodeRestriction feature exists but requires enabling a feature gate. The vulnerability is patched in version 1.7.0 (GitHub Advisory).