KubeVirt Audit is Complete!

Post published:November 7, 2025
Post category:Audits / Open Source / QuarksLab / Security

The Open Source Technology Improvement Fund (OSTIF) is proud to share the results of our security audit of KubeVirt. KubeVirt is short for Kubernetes Virtualization, as the project is an API and runtime for managing virtual machines. With the help of Quarkslab and the Cloud Native Computing Foundation (CNCF), this project can continue to support end-users running virtual-machine workloads needing to containerize applications.

Audit Process:

This audit took place over 37 days in early 2025. Two auditors started the work by reviewing the function and structure of KubeVirt to create a threat model that would inform the following work. The threat model, which was discussed with the project maintainers, defines threat actors, attack scenarios, and attack surfaces of the project. It also directed the next part of the audit, which consisted of automated testing and manual code review in areas scoped based on the threat model’s recommended weak areas.

Audit Results:

15 Findings with Security Impact
- 1 High
- CVE-2025-64324
- 7 Medium
- CVE-2025-64432
- CVE-2025-64433
- CVE-2025-64434
- CVE-2025-64435
- CVE-2025-64436
- CVE-2025-64437
- 4 Low
- 3 Informational
Custom Threat Model
Fix Recommendations

The auditors point out the architecture of the project prioritizes sandboxing and isolation, making it harder to escalate exploitation of vulnerabilities. The majority of the reported findings from this audit fall under those conditions, which limits their impact and informs their severity ranking. OSTIF wishes KubeVirt the best of luck on their journey to graduation with the CNCF.

Thank you to the individuals and groups that made this engagement possible:

KubeVirt maintainers and community, especially: Andrew Burden, Fabian Deutsch, and Stu Gott
Quarkslab: Sébastien Rolland, Mihail Kirov, and Pauline Sauder
The Cloud Native Computing Foundation

You can read the Audit Report HERE

You can read KubeVirt’s Blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, email [email protected].

Interested in learning or talking more about open source security? Join us for an OSTIF meetup by following our calendar to automatically be alerted to new open source webinars: https://lu.ma/ostif-meetups

Tags: Audit, cncf, KubeVirt, open source, QuarksLab, security