Arbitrary Code Execution Vulnerability in libnbd by Red Hat
CVE-2025-14946

4.8MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Openshift Virtualization 4
Vendor
CVE Published:
19 December 2025

What is CVE-2025-14946?

A security flaw observed in libnbd could allow a malicious actor to exploit the software by persuading it to open a specially crafted Uniform Resource Identifier (URI). This vulnerability is particularly concerning as it involves non-standard hostnames that begin with '-o', which are mistakenly processed as arguments for the Secure Shell (SSH) process instead of legitimate hostnames. If exploited, this can result in the execution of arbitrary code with the same privileges as the user running the libnbd process.

References

https://access.redhat.com/security/cve/CVE-2025-14946
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2423789
issue-trackingx_refsource_REDHAT
https://libguestfs.org/libnbd-release-notes-1.24.1.html#S...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-14946 : Arbitrary Code Execution Vulnerability in libnbd by Red Hat