🟠 High | Source: Microsoft Security Response Center
CVE-2026-13322 is a denial-of-service vulnerability in KubeVirt’s virt-handler component, where an unbounded readline operation on a virtio-serial channel can consume excessive memory, causing the process to crash due to out-of-memory (OOM) conditions. This affects Kubernetes environments running KubeVirt for virtual machine workloads, including Azure deployments. An attacker or a misbehaving guest VM could exploit this to disrupt the virt-handler, potentially taking down VM management on an affected node.
Security Architect’s Take: Identify any Azure or self-managed Kubernetes clusters running KubeVirt and apply vendor-supplied patches promptly; in the interim, consider restricting guest access to virtio-serial interfaces and monitoring virt-handler memory usage to detect anomalous consumption before it causes node-level disruption.
Original advisory: CVE-2026-13322 Kubevirt: virt-handler-rhel9: kubevirt: unbounded virtio-serial readline in virt-handler causes oom denial of service