Skip to main content

QEMU e1000 CVE-2025-12464

MEDIUM
Stack-based Buffer Overflow (CWE-121)
2025-10-31 secalert@redhat.com
6.2
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.2 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 16:30 vuln.today

DescriptionCVE.org

A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service.

AnalysisAI

Stack-based buffer overflow in QEMU's e1000 network device emulation allows local guest users to crash the QEMU process via crafted short frames in loopback mode, causing denial of service on the host. The vulnerability exists in the e1000_receive_iov() function where frame padding logic was removed from the device layer but loopback mode still processes short frames unsafely. No public exploit code or active exploitation in KEV has been reported at time of analysis.

Technical ContextAI

QEMU emulates the Intel e1000 network device for guest virtual machines. Frame padding-the process of enlarging packets smaller than the minimum Ethernet frame size (64 bytes)-was previously handled at the individual network device level. This code was refactored and centralized into QEMU's net core code layer. However, the e1000 device's loopback mode (used for internal testing and bridging guest traffic back to the host) bypasses the net core padding logic and directly invokes e1000_receive_iov(). When a short frame enters through loopback without proper padding, the function's buffer operations overflow the stack. The root cause is classified under CWE-121 (Stack-based Buffer Overflow), a memory safety violation resulting from inconsistent refactoring between device-specific and core network code paths.

Affected ProductsAI

QEMU project affected versions determined by stack-based buffer overflow in e1000_receive_iov() function within the e1000 network device emulation code. Specific version ranges not explicitly stated in provided data; however, the vulnerability is tied to refactoring of frame padding logic, suggesting it affects QEMU versions where this refactoring was incomplete (likely QEMU 7.x or 8.x based on Red Hat bugzilla reference 2408845). CPE identifier would be cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:* with version range to be confirmed by vendor advisory at https://access.redhat.com/security/cve/CVE-2025-12464 and upstream issue tracker at https://gitlab.com/qemu-project/qemu/-/issues/3043.

RemediationAI

Apply vendor-released patch from QEMU upstream addressing the e1000_receive_iov() buffer overflow. Users should consult Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2025-12464 for patched package versions (likely QEMU 9.x or later). Intermediate mitigation: disable loopback mode on e1000 devices if not required for guest networking, or restrict guest administrative access to prevent triggering loopback traffic. However, these workarounds may impact guest network functionality and should only be temporary until patching completes. For multi-tenant environments, consider isolating untrusted guest VMs on separate hypervisors until patching is deployed. Upgrade hypervisor packages as soon as patched versions are released by your distribution maintainer.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.100 Container suse/sl-micro/6.1/kvm-os-container:2.2.0-3.3 Affected
Container suse/sle-micro/kvm-5.5:2.0.4-3.5.443 Affected
Image SLES15-SP6-EC2-ECS-HVM Affected
Image SLES15-SP7-EC2-ECS-HVM Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed

Share

CVE-2025-12464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy