CVE-2025-13193

EUVD-2025-197850
A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
redhatCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
libvirt
bookworm
9.0.0-4+deb12u2
not-affected
bullseye
7.0.0-3+deb11u3
not-affected
forky
12.0.0-1
fixed
sid
12.0.0-1
fixed
trixie
11.3.0-3+deb13u2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libvirt
bionic
needs-triage
focal
needs-triage
jammy
Fixed 8.0.0-1ubuntu7.15
released
noble
Fixed 10.0.0-2ubuntu8.11
released
plucky
Fixed 11.0.0-2ubuntu6.5
released
questing
Fixed 11.6.0-1ubuntu3.2
released
trusty
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-13193
https://bugzilla.redhat.com/show_bug.cgi?id=2415409