{"id":"AZL-70463","summary":"CVE-2025-64324 affecting package kubevirt for versions less than 0.59.0-31","details":"KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more specifically the `DiskOrCreate` option (which creates a file if it doesn't exist) has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. Versions 1.6.1 and 1.7.0 fix the issue.","modified":"2026-04-01T05:22:30.087827Z","published":"2025-11-18T23:15:55Z","upstream":["CVE-2025-64324"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64324"}],"affected":[{"package":{"name":"kubevirt","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/kubevirt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.59.0-31"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-70463.json"}}],"schema_version":"1.7.5"}