CVE-2025-12748

EUVD-2025-99083

11.11.2025, 20:15

A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 15%

Debian Releases

Debian Product

Codename

libvirt

bookworm	no-dsa
bullseye	postponed
forky	12.0.0-1 fixed
sid	12.0.0-1 fixed
trixie	11.3.0-3+deb13u2 fixed

Ubuntu Releases

Ubuntu Product

Codename

libvirt

bionic	needs-triage
focal	needs-triage
jammy	Fixed 8.0.0-1ubuntu7.15 released
noble	Fixed 10.0.0-2ubuntu8.11 released
plucky	Fixed 11.0.0-2ubuntu6.5 released
questing	Fixed 11.6.0-1ubuntu3.2 released
trusty	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://access.redhat.com/security/cve/CVE-2025-12748

https://bugzilla.redhat.com/show_bug.cgi?id=2413801