From: Martin Kletzander <mkletzan@redhat.com>
Date: Fri, 28 Nov 2025 10:03:08 +0000 (+0100)
Subject: NEWS: Add CVE-2025-12748
X-Git-Tag: v11.10.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cd0d7951af5ab2eed49a8207f04e034113bfbcb;p=thirdparty%2Flibvirt.git

NEWS: Add CVE-2025-12748

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
---

diff --git a/NEWS.rst b/NEWS.rst
index c742954091..8cc6e698ca 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -13,6 +13,22 @@ v11.10.0 (unreleased)
 
 * **Security**
 
+  * CVE-2025-12748: Denial of service by some ACL-limited accounts
+
+    Parsing of user provided XMLs in APIs which needed the identification
+    information from those XML definitions was done in full before ACL checks
+    were performed.  Some valid, but useless, definitions could cause allocation
+    of too much memory, leading to denial of service. APIs which do equate to
+    full root access (such as ``domain:write``), and were parsing XML
+    definitions in full before performing ACL checks could, potentially, be
+    exploited in a way that would allow users (which were about to be denied the
+    API call) to cause aforementioned overallocation even before the ACL checks
+    were performed.
+
+    A change was made so that parsing before ACL checks are done only for the
+    identification parts of the XML definition (which is needed to perform the
+    checks) and full parsing is done only after checking all ACLs.
+
 * **Removed features**
 
 * **New features**