CVE-2025-14525

Description

A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

kubevirt < 1.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

在VM内部执行以下命令创建大量网络接口：

#!/bin/bash
for i in $(seq 1 100); do
    ip link add veth-$i type veth peer name veth-$i-p
done

guest-agent会向宿主机报告这些接口，过多的接口会导致配置存储系统过载，阻止管理员对VMI的任何修改操作。

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14525
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14525
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14525/
[4] VulDB https://vuldb.com/cve/CVE-2025-14525
[5] https://access.redhat.com/security/cve/CVE-2025-14525
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2421360

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14525", "sourceIdentifier": "[email protected]", "published": "2026-01-26T20:16:08.163", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en kubevirt. Un usuario dentro de una máquina virtual (VM), si el agente invitado está activo, puede explotar esto al hacer que el agente informe un número excesivo de interfaces de red. Esta acción puede sobrecargar la capacidad del sistema para almacenar actualizaciones de configuración de la VM, bloqueando eficazmente los cambios en la Instancia de Máquina Virtual (VMI). Esto permite al usuario de la VM restringir la capacidad del administrador de la VM para gestionar la VM, lo que lleva a una denegación de servicio para las operaciones administrativas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14525", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421360", "source": "[email protected]"}]}}