-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability occurs when DownwardMetrics is enabled, and an attacker repeatedly calls vm-dump-metrics --virtio before deleting the VM. The NULL dereference suggests the metrics handling function doesn't properly validate() VM/virtio device existence after deletion. The virt-handler component (specifically virtio metrics dumping logic) is the most plausible location for this flaw, as it directly interacts with VM devices and would crash if accessing a deleted resource. The combination of the attack vector (--virtio flag usage) and crash context points to a function responsible for virtio metrics collection without proper lifecycle checks.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| kubevirt.io/kubevirt | go | <= 1.2.0 |