{"id":"AZL-69790","summary":"CVE-2025-64436 affecting package kubevirt for versions less than 1.6.3-1","details":"KubeVirt is a virtual machine management add-on for Kubernetes. In 1.5.0 and earlier, the permissions granted to the virt-handler service account, such as the ability to update VMI and patch nodes, could be abused to force a VMI migration to an attacker-controlled node. This vulnerability could otherwise allow an attacker to mark all nodes as unschedulable, potentially forcing the migration or creation of privileged pods onto a compromised node.","modified":"2026-04-21T04:36:14.518077Z","published":"2025-11-07T23:15:46Z","upstream":["CVE-2025-64436"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64436"}],"affected":[{"package":{"name":"kubevirt","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kubevirt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.3-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-69790.json"}}],"schema_version":"1.7.5"}