CVE-2025-12464: Qemu-kvm: stack buffer overflow in e1000 device via short frames in loopback mode
A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service.
Security readout for executives and security teams
Plain-English summary
CVE-2025-12464 is a QEMU e1000 virtual network device flaw. A user inside a guest VM could trigger a stack buffer overflow in loopback handling and crash the QEMU process on the host. The stated impact is denial of service, not data theft or host takeover.
Executive priority
Treat as a medium-priority availability risk for affected virtualization platforms. It can disrupt workloads by crashing QEMU, but sources do not show active exploitation or confidentiality impact. Prioritize patch tracking and exposure inventory over emergency response unless critical services rely on affected hosts.
Technical view
The flaw is a CWE-121 stack-based buffer overflow in QEMU e1000 receive handling. Short-frame padding moved to net core, but e1000 loopback receive can still process short frames, overrunning e1000_receive_iov(). Red Hat rates it medium, CVSS 6.2, with availability impact only.
Likely exposure
Relevant to virtualization environments using affected qemu-kvm builds and e1000 virtual NICs. The source bundle lists Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10, and Red Hat OpenShift Container Platform 4 rhcos as affected. RHEL 6, 7, 8 entries are listed as unaffected.
Exploitation context
The attack is local to a guest VM context. Sources describe a malicious guest user causing the host-side QEMU process to crash, resulting in denial of service for that VM or workload. No source in the bundle indicates active exploitation, public exploit availability, or broader compromise.
Researcher notes
Evidence is strongest for the described QEMU e1000 loopback short-frame path and Red Hat product impact. The bundle does not provide a specific fixed version, patch commit, or exploit proof. Validate against vendor advisories before declaring remediation complete.
Mitigation direction
Check Red Hat advisories and errata for fixed qemu-kvm or rhcos builds.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-121: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-121 · source CWE mapping
Stack-based Buffer Overflow
Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.