KubeVirt
v1.7.4Orchestration & ManagementKubeVirt v1.7.4 is a patch release fixing a CVE in gRPC, authorization bugs, live migration on IPv6, and probe-triggered pod restarts during VM lifecycle events.
securityPatch CVE-2026-33186 by upgrading to v1.7.4 now
The gRPC dependency was vulnerable to CVE-2026-33186. This is a direct dependency bump to 1.79.3, so upgrading your KubeVirt installation to v1.7.4 is the only required action — no configuration changes needed. Prioritize this if your cluster runs workloads exposed to untrusted input over gRPC.
breakingAudit authorization if you use VNC, SEV, or evacuate subresources
The SubjectAccessReview truncation bug meant RBAC checks were being evaluated against incorrect subresource names — which could have allowed access that should have been denied, or denied access that should have been allowed. After upgrading, verify that your RBAC policies for vnc/screenshot, sev/*, and evacuate/cancel subresources behave as intended. This is not just a security fix; it's a correctness fix for authorization logic.
enhancementVMs using GuestAgentPing probes during migrations or pauses should no longer bounce
If you've been seeing unexpected virt-launcher pod restarts during live migrations or VM pause operations, this was a known probe behavior issue. The fix suppresses false-positive probe failures during pre-copy target, post-copy source, user pause, snapshot, save, and dump states. No action required — just upgrade. If you had workarounds in place (e.g., disabling GuestAgentPing during migrations), you can now remove them.
Key changes (5)
- CVE-2026-33186 remediated by bumping google.golang.org/grpc to 1.79.3
- GuestAgentPing probes no longer trigger virt-launcher pod restarts during live migration, pause, snapshot, save, or dump operations
- Cross-namespace live migration now works correctly on IPv6 clusters
- Fixed virt-api SubjectAccessReview bug that caused authorization checks against wrong subresource names for vnc/screenshot, sev/*, and evacuate/cancel endpoints
- PCI hostdev VMs no longer fail to restart after hotplugging a block volume; PCI topology now gates on machine type, not just architecture