CVE-2025-14876
📋 TL;DR
A vulnerability in QEMU's virtio-crypto device allows malicious guest operating systems to trigger uncontrolled memory allocation via the AKCIPHER path, causing the QEMU process to terminate. This results in denial of service on the host system. Affected are systems running QEMU with virtio-crypto enabled.
💻 Affected Systems
- QEMU
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete host system denial of service through QEMU process termination, disrupting all virtual machines running on that host.
Likely Case
Targeted DoS attacks against specific hosts running vulnerable QEMU configurations, causing VM downtime.
If Mitigated
Minimal impact if virtio-crypto is disabled or patches are applied; isolated to individual QEMU instances.
🎯 Exploit Status
Requires guest OS compromise or malicious guest to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-14876
Restart Required: Yes
Instructions:
1. Check your QEMU version. 2. Apply vendor-provided patches. 3. Restart QEMU processes/VMs. 4. Verify fix with version check.
🔧 Temporary Workarounds
Disable virtio-crypto
linuxRemove or disable virtio-crypto device from VM configurations
Edit VM configuration to remove '-device virtio-crypto' or similar lines
🧯 If You Can't Patch
- Isolate vulnerable VMs to separate hosts to limit blast radius
- Implement strict access controls to prevent guest VM compromise
🔍 How to Verify
Check if Vulnerable:
Check QEMU version and if virtio-crypto is enabled in VM configurationsCheck Version:
qemu-system-x86_64 --versionVerify Fix Applied:
Verify QEMU version is patched and test virtio-crypto functionality📡 Detection & Monitoring
Log Indicators:
- QEMU process crashes/terminations
- Memory allocation failures in QEMU logs
- Guest VM abnormal termination
Network Indicators:
- Sudden loss of connectivity to VMs on affected host
SIEM Query:
source="qemu.log" AND ("terminated" OR "segmentation fault" OR "out of memory")