CVE-2019-10168 in libvirtd
Summary
by MITRE
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/23/2025
The vulnerability identified as CVE-2019-10168 affects the libvirt virtualization management library, specifically impacting versions prior to 4.10.1 and 5.4.1 in the 4.x and 5.x release lines respectively. This flaw exists within the virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() APIs, which are designed to compare CPU capabilities between virtual machines and host systems. The issue stems from insufficient input validation when processing the "emulator" argument that allows specification of the program responsible for domain emulation. This design oversight creates a path for privilege escalation through a command injection vulnerability.
The technical flaw manifests when read-only clients can manipulate the emulator argument to point to arbitrary executable paths within the system. When libvirt processes these requests, it executes the specified program with the privileges of the libvirtd daemon, which typically runs with elevated permissions. This behavior violates the principle of least privilege and creates an opportunity for unauthorized code execution. The vulnerability is categorized under CWE-78 as a command injection flaw, where user-supplied data is directly incorporated into system commands without proper sanitization or validation.
The operational impact of this vulnerability is significant as it allows unprivileged users to potentially execute arbitrary code with the privileges of the libvirtd process. This creates a substantial security risk in virtualized environments where multiple users may have access to the libvirt API. Attackers could leverage this vulnerability to escalate privileges, install backdoors, or compromise the entire virtualization infrastructure. The flaw particularly affects systems where libvirt is configured to allow read-only access to clients, as these users can exploit the vulnerability without requiring authentication or elevated privileges. The attack vector aligns with ATT&CK technique T1059.001 for command and script injection, while also mapping to T1068 for privilege escalation through local exploits.
Mitigation strategies for CVE-2019-10168 primarily involve upgrading to the patched versions of libvirt 4.10.1 or 5.4.1, which implement proper input validation for the emulator argument. Administrators should also implement network segmentation to limit access to libvirt APIs, particularly restricting read-only access to trusted users only. Additional protective measures include configuring libvirt with strict permissions, disabling unnecessary API endpoints, and monitoring for suspicious execution patterns. The vulnerability highlights the importance of validating all user-supplied inputs in system-level APIs and demonstrates the critical need for privilege separation in virtualization management systems. Organizations should conduct thorough security assessments of their virtualization environments and ensure that all libvirt components are properly patched and configured to prevent unauthorized privilege escalation attacks.