CVE-2025-13193 — Incorrect Default Permissions in Libvirt

CWE-276 — Incorrect Default Permissions7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 90.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Libvirt Debian Libvirt Msrc Azl3 Libvirt 10.0.0-5 ON Azure Linux 3.0 +1 more

Timeline

PublishedNov 17

Latest updateJan 8

Description

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/libvirt< libvirt 11.10.0-1 (forky)

▶Debianredhat/libvirt< 11.3.0-3+deb13u2+1

▶msrcmsrc/azl3_libvirt_10.0.0-5_on_azure_linux_3.0

▶msrcmsrc/azl3_libvirt_10.0.0-6_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2025-13193: A flaw was found in libvirt↗2025-11-17

▶

GHSA

GHSA-223c-8f3h-q9f9: A flaw was found in libvirt↗2025-11-17

▶

📋Vendor Advisories

Ubuntu

libvirt vulnerabilities↗2026-01-08

▶

Red Hat

libvirt: Information disclosure via world-readable VM snapshots↗2025-11-12

▶

Microsoft

Libvirt: information disclosure via world-readable vm snapshots↗2025-11-11

▶

Debian

CVE-2025-13193: libvirt - A flaw was found in libvirt. External inactive snapshots for shut-down VMs are i...↗2025

▶