CVE-2025-12748 — Allocation of Resources Without Limits or Throttling in Libvirt

CWE-770 — Allocation of Resources Without Limits or Throttling7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 73.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Libvirt Debian Libvirt Msrc Azl3 Libvirt 10.0.0-5 ON Azure Linux 3.0 +4 more

Timeline

PublishedNov 11

Latest updateJan 8

Description

A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/libvirt< libvirt 11.10.0-1 (forky)

▶Debianredhat/libvirt< 11.3.0-3+deb13u2+1

▶msrcmsrc/azl3_libvirt_10.0.0-5_on_azure_linux_3.0

▶msrcmsrc/azl3_libvirt_10.0.0-6_on_azure_linux_3.0

▶msrcmsrc/azl3_libvirt_10.0.0-7_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-qwrw-p888-cc55: A flaw was discovered in libvirt in the XML file processing↗2025-11-11

▶

OSV

CVE-2025-12748: A flaw was discovered in libvirt in the XML file processing↗2025-11-11

▶

📋Vendor Advisories

Ubuntu

libvirt vulnerabilities↗2026-01-08

▶

Microsoft

Libvirt: denial of service in xml parsing↗2025-11-11

▶

Red Hat

libvirt: Denial of service in XML parsing↗2025-11-07

▶

Debian

CVE-2025-12748: libvirt - A flaw was discovered in libvirt in the XML file processing. More specifically, ...↗2025

▶