CVE-2025-14876 | THREATINT

Description

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

PUBLISHED Reserved 2025-12-18 | Published 2026-02-18 | Updated 2026-02-18 | Assigner fedora

MEDIUM: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

Allocation of Resources Without Limits or Throttling

Product status

Default status

unaffected

7.1.0 (semver)

affected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Default status

unaffected

Timeline

2025-12-18:	Reported to Red Hat.
2025-12-14:	Made public.

Credits

Red Hat would like to thank James Nakamura <nakamurajames123@gmail.com> for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-14876 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2423549 (RHBZ#2423549) issue-tracking

cve.org (CVE-2025-14876)

nvd.nist.gov (CVE-2025-14876)

Download JSON