Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-12748 PoC — Libvirt: denial of service in xml parsing

Source
https://github.com/TERESH1/CVE-2025-12748
Associated Vulnerability
Title:Libvirt: denial of service in xml parsing (CVE-2025-12748)
Description:A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.
Description
Proof of concept & details for CVE-2025-12748
Readme
# CVE-2025-12748

[Eng](#english) [Rus](#руссский)

- Credit: Svyatoslav Tereshin (@TERESH1), Artem Mukhin (@saladosss)
- Issues: [#687](https://gitlab.com/libvirt/libvirt/-/issues/687),  [#825](https://gitlab.com/libvirt/libvirt/-/issues/825)

## English

### Description
An issue was discovered in the XML file processing procedure.

The processing of the file's content is performed before the [ACL](https://libvirt.org/acl.html) check. This allows a user with limited permissions to submit a specially crafted XML file that can cause too much resource consumption, leading to a potential denial-of-service (DoS) attack.

### Environment Setup
1. OS: Alt Linux P10 server 
2. Install and configure libvirt/qemu as per the [article](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) (rus lang)
-  summary in eng:
```sh
apt-get install libvirt libvirt-kvm libvirt-qemu
gpasswd -a user vmusers
systemctl enable --now libvirtd
```

3. In /etc/libvirt/libvirtd.conf, replace the content with:
```
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. Add a rule for polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```
5. Restart services: `systemctl restart libvirtd polkit`

### Reproduce
Attempting to access libvirt with a valid XML file:
```sh
virsh --connect qemu://system define ./test.xml
```
The following error will be received:
```
error: Failed to define domain from ./test.xml
error: access denied: access denied "QEMU"
```

And the corresponding polkit log:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```

Attempting to access libvirt with a malicious XML file:
```sh
virsh --connect qemu://system define ./oom.xml
```

The log will be empty due to the server hanging, and increased resource consumption by libvirtd can be observed in `top`.

## Руссский

### Описание
Обнаружена проблема при обработке xml-файла.

Обработка содержимого файла выполняется до проверки [ACL](https://libvirt.org/acl.html). Это позволяет пользователю с ограниченными правами отправить специально сформированный XML-файл, который может вызвать чрезмерное потребление ресурсов, что приводит к потенциальной атаке типа "отказ в обслуживании" (DoS).

### Настройка окружения
1. ОС Alt Linux P10 server
2. установить/настроить libvirt/qemu по [статье](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) 
3. в `/etc/libvirt/libvirtd.conf` заменить текст на:
```conf
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. добавить правило для polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```

5. перезапустить: `systemctl restart libvirtd polkit`

### Воспроизведение
Обращение к libvirt с валидным xml-файлом:
```sh
virsh --connect qemu://system define ./test.xml
```
Будет получена ошибка:
```
ошибка: Не удалось создать описание домена на основе ./test.xml
ошибка: доступ запрещен: доступ запрещен "QEMU"
```
И соответствующий лог polkit:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```
Обращение к libvirt с вредоносным xml-файлом:
```sh
virsh --connect qemu://system define ./oom.xml
```
Лог будет пустой из-за зависания сервера, в `top` можно проконтролировать увеличение потребляемых ресурсов `libvirtd`.
File Snapshot

 [4.0K]  /data/pocs/f3d0623dd74ee13f598f3842b7ed5929518c7bfd
├── [1.1K]  oom.xml
├── [7.0K]  README.md
└── [ 697]  test.xml

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →