CVE-2025-12748 Red Hat CVE debrief

Who should care

Organizations running libvirt-based virtualization infrastructure on Red Hat Enterprise Linux or derivatives, particularly multi-tenant environments where non-administrative users have API access to libvirt. Cloud providers and managed hosting services with customer-facing virtualization controls should prioritize patching.

Technical summary

The vulnerability exists in libvirt's XML processing pipeline where user-provided XML files are parsed prior to access control list (ACL) enforcement. This ordering flaw permits authenticated users with limited privileges to submit malicious XML that triggers excessive memory allocation on the host. The memory pressure can cause the libvirt daemon to terminate, creating a denial-of-service condition for virtualization management. The attack requires local access and valid credentials but no user interaction. No confidentiality or integrity impact is associated with this flaw; availability impact is rated high per CVSS vector.

Defensive priority

medium

Recommended defensive actions

• Apply RHSA-2026:18326 and RHSA-2026:18748 security updates from Red Hat when available
• Restrict libvirt API access to trusted administrative users until patching
• Monitor libvirt daemon memory utilization for anomalous spikes
• Review XML submission audit logs for unusually large or malformed inputs
• Validate XML schema constraints at application layer before libvirt submission where feasible

Evidence notes

CVE published 2025-11-11; modified 2026-05-19. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms local attack vector with low complexity and privileges required. CWE-770 (Allocation of Resources Without Limits or Throttling) identified by Red Hat. Multiple Red Hat Security Advisories (RHSA-2026:18326, RHSA-2026:18748) and Bugzilla entry 2413801 provide vendor acknowledgment.

Official resources