CVE-2025-14525
Unknown Unknown - Not Provided
Denial of Service via Network Interface Flood in KubeVirt Guest Agent

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: Red Hat, Inc.

Description
A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system's ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator's ability to manage the VM, leading to a denial of service for administrative operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-05-07
AI Q&A
2026-01-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-14525
EUVD
EUVD-2025-206339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kubevirt kubevirt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in KubeVirt occurs when the guest agent inside a virtual machine (VM) reports an excessive number of network interfaces. This can fill the capacity limit of etcd, the key-value store used by Kubernetes, blocking updates to the Virtual Machine Instance (VMI) configuration. As a result, a VM user can prevent the VM administrator from managing the VM properly, causing a denial of service for administrative operations. [1]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing a user within a VM to block administrative changes to the VM by overwhelming the system's capacity to store configuration updates. This means the VM administrator may be unable to perform necessary management tasks, such as changing network link states, leading to denial of service for VM administration. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring the guest agent reports for an excessive number of network interfaces within a VM. You can check the number of network interfaces reported by the guest agent inside the VM and observe if it is unusually high, which may indicate exploitation. Commands to list network interfaces inside a Linux VM include: `ip link show` or `ifconfig -a`. Additionally, monitoring etcd for capacity limits being reached or blocked updates to Virtual Machine Instance (VMI) configurations can help detect the issue. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling the guest agent if it is not required, to prevent it from reporting excessive network interfaces. If the guest agent is necessary, monitor and limit the number of network interfaces reported by the guest agent to avoid hitting etcd capacity limits. Applying any patches or updates provided by KubeVirt before the resolution deadline (February 2, 2026) is also recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart