CVE-2019-10166 in libvirtd
Summary
by MITRE
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/23/2025
The vulnerability CVE-2019-10166 represents a significant privilege escalation issue within the libvirt virtualization management daemon. This flaw exists in libvirtd versions 4.x.x prior to 4.10.1 and 5.x.x prior to 5.4.1, where the access control mechanisms fail to properly enforce security boundaries for read-only client connections. The vulnerability stems from an improper implementation of the virDomainManagedSaveDefineXML() API, which should have been restricted to privileged users only but was inadvertently made accessible to read-only clients.
The technical flaw manifests through a specific API misconfiguration that allows unauthorized modification of managed save state files. When a domain has been previously saved with managed save functionality by a privileged user, the vulnerability enables local attackers with read-only access to manipulate these saved state files. This creates a dangerous scenario where attackers can inject malicious content into the managed save file, specifically crafting payloads that will execute arbitrary programs when the domain resumes its operation. The underlying issue involves insufficient input validation and access control enforcement within the libvirt daemon's API implementation.
The operational impact of this vulnerability is severe as it provides local attackers with a path to execute arbitrary code with the privileges of the libvirtd process. Since libvirtd typically runs with elevated privileges to manage virtual machines, successful exploitation could result in complete compromise of the host system. The vulnerability is particularly dangerous because it requires minimal privileges to exploit and can be leveraged to establish persistent backdoors or escalate privileges further within the virtualization environment. Attackers could potentially use this to gain root access on the host system, making it a critical security concern for any system running vulnerable versions of libvirt.
This vulnerability maps to CWE-284 Access Control Issues, specifically involving improper access control for privileged operations within a virtualization management system. From an ATT&CK perspective, this represents a privilege escalation technique through API misuse and could be categorized under T1068, Local Privilege Escalation, and potentially T1543, Create or Modify System Process. The vulnerability also aligns with T1059, Command and Scripting Interpreter, as it enables arbitrary code execution. Organizations should immediately apply the security patches released by libvirt version 4.10.1 and 5.4.1, which properly restrict the virDomainManagedSaveDefineXML() API to privileged users only. Additionally, implementing network segmentation, monitoring for unauthorized API usage, and maintaining strict access controls for libvirt connections can help mitigate the risk of exploitation in environments where patching may not be immediately possible.