{"affected":[{"ecosystem_specific":{"binaries":[{"kubevirt-manifests":"1.6.3-150700.3.13.1","kubevirt-virtctl":"1.6.3-150700.3.13.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Containers 15 SP7","name":"kubevirt","purl":"pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.3-150700.3.13.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container fixes the following issues:\n\nUpdated kubevirt to version 1.6.3:\n\n  - CVE-2025-22872: Fixed incorrect interpretation of tags leading content to be placed wrong scope during DOM \n    construction in golang.org/x/net/html (bsc#1241772)\n  - CVE-2025-64432: Fixed bypass of RBAC controls due to incorrect validation of certain fields in the client\n    TLS certificate (bsc#1253181)\n  - CVE-2025-64433: Fixed arbitrary files read via improper symlink handling (bsc#1253185)\n  - CVE-2025-64434: Fixed privilege escalation via virt-api impersonification due to compromise virt-handler\n    instance (bsc#1253186)\n  - CVE-2025-64437: Fixed mishandling of symlinks (bsc#1253194)\n  - CVE-2025-64324: Fixed a logic bug that allows an attacker to read and write arbitrary files owned by more\n    privileged users (bsc#1253748)\n\n","id":"SUSE-SU-2025:4330-1","modified":"2025-12-09T11:33:55Z","published":"2025-12-09T11:33:55Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20254330-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1241772"},{"type":"REPORT","url":"https://bugzilla.suse.com/1250683"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253181"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253185"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253186"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253194"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253384"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253748"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-22872"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-64324"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-64432"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-64433"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-64434"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-64437"}],"related":["CVE-2025-22872","CVE-2025-64324","CVE-2025-64432","CVE-2025-64433","CVE-2025-64434","CVE-2025-64437"],"summary":"Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container","upstream":["CVE-2025-22872","CVE-2025-64324","CVE-2025-64432","CVE-2025-64433","CVE-2025-64434","CVE-2025-64437"]}