Upgrade kubevirt to 1.7.0, libvirt to 10.10.0 and QEMU to 9.1.0

[aadhar-agarwal]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• This PR upgrades kubevirt to 1.7.0, libvirt to 10.10.0 and QEMU to 9.1.0 to address virt-launcher memory leak affecting NAKS clusters.

Change Log

kubevirt

• Remove CVE-2025-47913.patch (ssh/agent package no longer vendored upstream)
  • The patch was removed because kubevirt 1.7.0 no longer vendors the vulnerable golang.org/x/crypto/ssh/agent package. The directory was removed in PR #15478 ("cleanup(virtctl): Drop native ssh and scp clients"), which eliminated the native SSH/SCP clients from virtctl and removed the dependency on the vulnerable package entirely.
• Remove CVE-2025-64435.patch (fixed upstream via PR#15680)
  • The patch was removed because the fix is included upstream in kubevirt 1.7.0 via PR #15680. The vulnerable pkg/controller/controller_ref.go file no longer exists in 1.7.0 - it was completely removed and replaced with secure standard Kubernetes API calls.
• Bump golang BuildRequires to >= 1.24 (required by upstream go.mod)
  • The BuildRequires: golang >= 1.24 change is required because kubevirt 1.7.0 updated its Go version via PR #15784: "Build KubeVirt with go v1.24.7". The project's go.mod now declares go 1.24.0, making Go 1.24+ mandatory for building.

libvirt

• Upgrade libvirt to 10.10.0
  • Removed CVE-2024-1441 (c664015f), CVE-2024-2494 (8a3f8d95), and CVE-2024-4418 (8074d64d) patches as these fixes are included in libvirt 10.10.0.
  • Updated CVE-2025-12748.patch to use header->format instead of header->compressed (field renamed in upstream commit bd6d7ebf6, included in libvirt v10.9.0)
  • Replaced yajl-devel with json-c-devel (9e6555fd - YAJL is dead upstream; libvirt switched to json-c in v10.8.0)

QEMU

• Upgrade QEMU from 8.2.0 to 9.1.0
• Remove CVE patches merged upstream:
  • CVE-2023-6683 (405484b2)
  • CVE-2023-6693 (2220e818)
  • CVE-2024-3447 (9e4b27ca)
  • CVE-2024-4467 (bd385a52)
  • CVE-2024-6505 (f1595ceb)
  • CVE-2024-4693 (2ce6cff9, 7eeb62b0)
  • CVE-2024-7730 (98e77e3d)
  • CVE-2024-3567 (83ddb3db)
  • CVE-2024-26327 (6081b424)
  • CVE-2024-26328 (91bb64a8)
  • CVE-2024-7409 (multiple upstream commits: fb1c2aaa, 3e7ef738, c8a76dbd, b9b72cb3, 3874f5f7)
• Rebase 0002-Disable-failing-tests-on-azl.patch for 9.1.0
• Remove --disable-pvrdma configure option (removed upstream in commit 1dfd42c4)
• Remove --disable-live-block-migration / --enable-live-block-migration configure options (removed upstream in commit eef0bae3a75f "migration: Remove block migration")
• Remove --disable-avx512f / --enable-avx512f configure options (removed upstream in commit 5765bca5)
• Remove nios2 architecture support (removed upstream in commit 6c3014858c4c "target/nios2: Remove the deprecated Nios II target")
• Enable virglrenderer support (have_virgl set to 1, now available in Azure Linux 3.0)
• Fix -gl and vhost-user-gpu subpackage conditionals to require both virgl AND opengl (QEMU 9.1.0 no longer builds these without opengl)
• Add qemu-vmsr-helper, hppa-firmware64.img, and systemtap tapset files for qemu-img, qemu-io, qemu-nbd, qemu-storage-daemon to packaging
• Guard qemu-vmsr-helper in %files tools with %ifarch x86_64 since it is x86-only (reads Intel RAPL MSRs) and not built on aarch64

Does this affect the toolchain?

NO

Associated memory leak fixes

• Fix rest handler leak kubevirt/kubevirt#15557
• Monitor: Reap all processes kubevirt/kubevirt#15676

Test Methodology

• Buddy build - https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1046735&view=results

[harshitgupta1337]

/lgtm
Thanks @aadhar-agarwal

[romoh]

LGTM

[CBL-Mariner-Bot]

Auto cherry-pick results:

• 3.0-dev ✅ -> [AUTO-CHERRYPICK] Upgrade kubevirt to 1.7.0, libvirt to 10.10.0 and QEMU to 9.1.0 - branch 3.0-dev #15788

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1046989&view=results