2421360 – (CVE-2025-14525) CVE-2025-14525 kubevirt: kubevirt: VM administration denial of service via guest agent

Bug 2421360 (CVE-2025-14525) - CVE-2025-14525 kubevirt: kubevirt: VM administration denial of service via guest agent

Summary: CVE-2025-14525 kubevirt: kubevirt: VM administration denial of service via gu...

Keywords:
Status:	NEW
Alias:	CVE-2025-14525
Deadline:	2026-02-02
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-11 08:13 UTC by OSIDB Bzimport
Modified:	2026-01-26 18:57 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-11 08:13:58 UTC

If guest agent is enabled, it reports all the interfaces found in the guest. If there are just enough interfaces to fill up the object capacity on etcd, updates of the VMI may be blocked. This enables the VM user to limit the power of VM admin.

One example of such an exploit may be that the user prevents the admin from setting the network link state from up to down (2 extra characters would be needed).

Note You need to log in before you can comment on or make changes to this bug.