CVE-2025-12748

Published: November 12, 2025Last modified: December 12, 2025

Description

A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.

Severity score breakdown

ParameterValue
Base score5.5
Attack VectorLOCAL
Attack complexityLOW
Privileges requiredLOW
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
Integrity impactNONE
Availability impactHIGH
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Notes

Note: the link to the patch https://lists.libvirt.org/archives/list/[email protected]/thread/LTGHU3S4JEMCF5KJNJGWWZ7F2CS6L5SG/ as per https://bugzilla.redhat.com/show_bug.cgi?id=2413801 is down currently

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSlibvirtFixed (8.9.0-r7)
25 LTSlibvirtFixed (11.3.0-r2)
StreamlibvirtFixed (11.10.0-r0)

References

ON THIS PAGE