CVE-2025-14946
Publication date 22 December 2025
Last updated 22 December 2025
Ubuntu priority
Description
A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libnbd | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.8 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-14946
- https://libguestfs.org/libnbd-release-notes-1.24.1.html#Security
- https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/YZMBF3SJRWTRVT5L3KWSNHITFTRMQNTT/
- https://access.redhat.com/security/cve/CVE-2025-14946
- https://bugzilla.redhat.com/show_bug.cgi?id=2423789