CVE-2025-47712 – A vulnerability in nbdkit's blocksize filter al... (How to Fix)

Q: What is the severity of CVE-2025-47712?

CVE-2025-47712 has a CVSS score of 6.5 (MEDIUM). A vulnerability in nbdkit's blocksize filter allows denial of service when clients request block status information for excessively large data ranges. This affects systems using nbdkit with the blocksize filter enabled. The flaw causes internal errors that crash or hang the service.

📋 TL;DR

A vulnerability in nbdkit's blocksize filter allows denial of service when clients request block status information for excessively large data ranges. This affects systems using nbdkit with the blocksize filter enabled. The flaw causes internal errors that crash or hang the service.

💻 Affected Systems

Products:

nbdkit

Versions: nbdkit versions with blocksize filter, specific affected versions not specified in references but likely recent versions before patch

Operating Systems: Linux distributions using nbdkit (RHEL, Fedora, Debian, Ubuntu, etc.)

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using the blocksize filter. Default nbdkit installations without this filter are not affected.

📦 What is this software?

Nbdkit by Nbdkit Project

View all CVEs affecting Nbdkit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for nbdkit service, disrupting all NBD (Network Block Device) operations and potentially affecting dependent services or virtual machines.

🟠

Likely Case

Service disruption requiring manual restart of nbdkit, causing temporary unavailability of block devices.

🟢

If Mitigated

Minimal impact if service is monitored and automatically restarted, though repeated attacks could cause availability issues.

🌐 Internet-Facing: MEDIUM - nbdkit services exposed to untrusted networks could be targeted for DoS, but requires specific client requests.

🏢 Internal Only: LOW - Internal clients would need to be malicious or misconfigured to trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific malformed block status requests to nbdkit with blocksize filter enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor-specific updates (e.g., nbdkit 1.38.1 or later for Red Hat)

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-47712

Restart Required: Yes

Instructions:

1. Update nbdkit package using system package manager. 2. For Red Hat: 'yum update nbdkit'. 3. For Debian/Ubuntu: 'apt update && apt upgrade nbdkit'. 4. Restart nbdkit services.

🔧 Temporary Workarounds

Disable blocksize filter

linux

Remove or disable the blocksize filter from nbdkit configurations if not required.

Edit nbdkit configuration to remove '--filter=blocksize' parameter

Limit client access

linux

Restrict nbdkit service to trusted clients only using firewall rules.

iptables -A INPUT -p tcp --dport 10809 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 10809 -j DROP

🧯 If You Can't Patch

Implement network segmentation to isolate nbdkit services from untrusted networks.
Deploy monitoring and automatic restart mechanisms for nbdkit services.

🔍 How to Verify

Check if Vulnerable:

Check if nbdkit is running with blocksize filter: 'ps aux | grep nbdkit | grep blocksize'

Check Version:

nbdkit --version

Verify Fix Applied:

Check nbdkit version after update: 'nbdkit --version' and verify it's patched version

📡 Detection & Monitoring

Log Indicators:

nbdkit crash logs
segmentation fault errors in system logs
unexpected nbdkit service termination

Network Indicators:

Unusual large block status requests to nbdkit port (default 10809)
Sudden drop in nbdkit service availability

SIEM Query:

source="*nbdkit*" AND ("segmentation fault" OR "internal error" OR "crash")

📊 Metadata

CVE ID: CVE-2025-47712

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.11% exploit probability (29th percentile)

Published: June 9, 2025

Last Updated: January 8, 2026

🔗 References

https://access.redhat.com/security/cve/CVE-2025-47712 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2365724 Issue Tracking,Third Party Advisory
https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/67E7AASHHADIY7VAD3FFW2I67LTWVWYF/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47712, you might also want to check these: