Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-12748 PoC — Libvirt: denial of service in xml parsing

Source
https://github.com/TERESH1/CVE-2025-12748
Associated Vulnerability
Title:Libvirt: denial of service in xml parsing (CVE-2025-12748)
Description:A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the host, resulting in a denial-of-service condition.
Description
Proof of concept & details for CVE-2025-12748
Readme
# CVE-2025-12748

[Eng](#english) [Rus](#руссский)

- Credit: Svyatoslav Tereshin (@TERESH1), Artem Mukhin (@saladosss)
- Issues: [#687](https://gitlab.com/libvirt/libvirt/-/issues/687),  [#825](https://gitlab.com/libvirt/libvirt/-/issues/825)

## English

### Description
An issue was discovered in the XML file processing procedure.

The processing of the file's content is performed before the [ACL](https://libvirt.org/acl.html) check. This allows a user with limited permissions to submit a specially crafted XML file that can cause too much resource consumption, leading to a potential denial-of-service (DoS) attack.

### Environment Setup
1. OS: Alt Linux P10 server 
2. Install and configure libvirt/qemu as per the [article](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) (rus lang)
-  summary in eng:
```sh
apt-get install libvirt libvirt-kvm libvirt-qemu
gpasswd -a user vmusers
systemctl enable --now libvirtd
```

3. In /etc/libvirt/libvirtd.conf, replace the content with:
```
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. Add a rule for polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```
5. Restart services: `systemctl restart libvirtd polkit`

### Reproduce
Attempting to access libvirt with a valid XML file:
```sh
virsh --connect qemu://system define ./test.xml
```
The following error will be received:
```
error: Failed to define domain from ./test.xml
error: access denied: access denied "QEMU"
```

And the corresponding polkit log:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```

Attempting to access libvirt with a malicious XML file:
```sh
virsh --connect qemu://system define ./oom.xml
```

The log will be empty due to the server hanging, and increased resource consumption by libvirtd can be observed in `top`.

## Руссский

### Описание
Обнаружена проблема при обработке xml-файла.

Обработка содержимого файла выполняется до проверки [ACL](https://libvirt.org/acl.html). Это позволяет пользователю с ограниченными правами отправить специально сформированный XML-файл, который может вызвать чрезмерное потребление ресурсов, что приводит к потенциальной атаке типа "отказ в обслуживании" (DoS).

### Настройка окружения
1. ОС Alt Linux P10 server
2. установить/настроить libvirt/qemu по [статье](https://www.altlinux.org/Libvirt_(Qemu%2BKVM%2BVirt-manager)) 
3. в `/etc/libvirt/libvirtd.conf` заменить текст на:
```conf
listen_tls = 0
listen_tcp = 1
tcp_port = "16509"
listen_addr = "0.0.0.0"
unix_sock_group = "vmusers"
auth_tcp = "none"
access_drivers = ["polkit"]
min_workers = 1
max_workers = 1
prio_workers = 1
admin_min_workers = 1
admin_max_workers = 1

log_outputs="1:file:/var/log/libvirt/libvirtd.log"
log_level = 1
```
4. добавить правило для polkit (`/etc/polkit-1/rules.d/50-libvirt-user.rules`):
```js
polkit.addRule(function(action, subject) {
    polkit.log("action=" + action);
    polkit.log("subject=" + subject);
    if ((action.id == "org.libvirt.api.domain.write" || action.id == "org.libvirt.api.domain.save") &&
        subject.user == "user") {
        return polkit.Result.NO;
    }
    else {
        return polkit.Result.YES;
    }
})
```

5. перезапустить: `systemctl restart libvirtd polkit`

### Воспроизведение
Обращение к libvirt с валидным xml-файлом:
```sh
virsh --connect qemu://system define ./test.xml
```
Будет получена ошибка:
```
ошибка: Не удалось создать описание домена на основе ./test.xml
ошибка: доступ запрещен: доступ запрещен "QEMU"
```
И соответствующий лог polkit:
```
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.unix.manage']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.connect.getattr' connect_driver='QEMU']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
polkitd[611708]: Unregistered Authentication Agent for unix-process:613904:1401403695 (system bus name :1.113770, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale ru_RU.UTF-8) (disconnected from bus)
polkitd[611708]: <no filename>:2: action=[Action id='org.libvirt.api.domain.write' domain_name='test-vm' connect_driver='QEMU' domain_uuid='123e4567-e89b-12d3-a456-426614174000']
polkitd[611708]: <no filename>:3: subject=[Subject pid=613904 user='user' groups=user,wheel,vmusers,docker seat=null session='55525' local=false active=true]
```
Обращение к libvirt с вредоносным xml-файлом:
```sh
virsh --connect qemu://system define ./oom.xml
```
Лог будет пустой из-за зависания сервера, в `top` можно проконтролировать увеличение потребляемых ресурсов `libvirtd`.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →