Bug 2423549 (CVE-2025-14876)

Summary: CVE-2025-14876 qemu-kvm: Unbounded allocation in virtio-crypto
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2423564, 2423565    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-18 12:34:27 UTC 
A flaw was found in the virtio-crypto device of QEMU. The symmetric path enforces a length limit using conf.max_size, but the AKCIPHER path does not impose any bound. This could allow a malicious guest to trigger a memory exhaustion condition, potentially resulting in a denial of service (DoS) by aborting the QEMU process on the host.

Upstream patch:
https://lore.kernel.org/qemu-devel/20251221024321.143196-1-zhenwei.pi@linux.dev/
Comment 4 Mauro Matteo Cascella 2026-02-06 11:09:05 UTC 
Upstream patch & fix commit:
- https://lore.kernel.org/qemu-devel/20251221024321.143196-3-zhenwei.pi@linux.dev/T/
- https://gitlab.com/qemu-project/qemu/-/commit/91c6438caffc880e999a7312825479685d659b44