CVE-2025-14876 — Allocation of Resources Without Limits or Throttling in Qemu

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 99.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedFeb 18

Latest updateMar 4

Description

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/qemu< qemu 1:10.2.1+ds-1 (forky)

▶Debianqemu/qemu< 1:10.0.8+ds-0+deb13u1+1

▶Ubuntuqemu/qemu< 1:6.2+dfsg-2ubuntu6.28+2

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2026-03-04

▶

OSV

CVE-2025-14876: A flaw was found in the virtio-crypto device of QEMU↗2026-02-18

▶

GHSA

GHSA-gq25-pccv-6q8j: A flaw was found in the virtio-crypto device of QEMU↗2026-02-18

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2026-03-04

▶

Red Hat

qemu-kvm: Unbounded allocation in virtio-crypto↗2025-12-14

▶

Debian

CVE-2025-14876: qemu - A flaw was found in the virtio-crypto device of QEMU. A malicious guest operatin...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-14876 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶