SB2025112859 - Two vulnerabilities in libvirt
Published: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Incorrect default permissions (CVE-ID: CVE-2025-13193)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to external inactive snapshots for shut-down VMs are incorrectly created as world-readable. A remote user can inspect the guest OS contents.
2) Resource exhaustion (CVE-ID: CVE-2025-12748)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling XML files. A remote user can pass a specially crafted XML file to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2415409
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120119
- https://gitlab.com/libvirt/libvirt/-/commit/a379327d8abcde8ac8d3e16fe5e4ba6f790d767a
- https://bugzilla.redhat.com/show_bug.cgi?id=2413801
- https://gitlab.com/libvirt/libvirt/-/issues/825
- https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/LTGHU3S4JEMCF5KJNJGWWZ7F2CS6L5SG/