🟠 High | Source: Microsoft Security Response Center
CVE-2026-13218 is a symlink-following vulnerability in KubeVirt’s virt-launcher component that allows a malicious or compromised virtual machine workload to overwrite arbitrary files on the underlying host via the writeToCache function. This represents a container/VM escape-class issue, where isolation boundaries between virtualised workloads and the host node can be broken. The impact is significant in multi-tenant Kubernetes environments where KubeVirt is used to run VMs alongside containerised workloads.
Security Architect’s Take: Audit any AKS or Azure-hosted Kubernetes clusters running KubeVirt and apply the patched version as soon as it is available; in the interim, restrict virt-launcher pod permissions using PodSecurity admission policies and ensure node-level file integrity monitoring is in place to detect unexpected writes.
Original advisory: CVE-2026-13218 Kubevirt: kubevirt: symlink following in writetocachedfile allows host file overwrite from virt-launcher