Oracle Linux 9 : libvirt (ELSA-2026-18748)

medium Nessus Plugin ID 324334

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-18748 advisory.

[11.10.0-12.3.0.1]
- Set SOURCE_DATE_EPOCH from changelog [Orabug: 32019554]

[11.10.0-12.3.el9_8]
- cpu_conf: Introduce virCPUDefSortFeatures (RHEL-178822)
- qemu_capabilities: Split virQEMUCapsFillDomainCPUCaps (RHEL-178822)
- qemu: Move domain caps flags handling to virQEMUCapsFillDomainCPUHostModel (RHEL-178822)
- qemu_capabilities: Always sort features in host-model CPU (RHEL-178822)
- qemu_capabilities: Use g_autoptr in virQEMUCapsInitHostCPUModel (RHEL-178822)
- qemu_capabilities: Split conditions in virQEMUCapsInitHostCPUModel (RHEL-178822)
- qemu_capabilities: Cache expanded CPU (RHEL-178822)
- domaincapstest: Test EXPAND_CPU_FEATURES flag (RHEL-178822)
- util: Publish and mock virHostCPUGetMSRFromKVM (RHEL-178822)
- cpu_x86: Introduce virCPUx86DataAddMSR (RHEL-178822)
- cpu: Introduce virCPUUpdateFeatures (RHEL-178822)
- Fix documentation of VIR_CONNECT_GET_DOMAIN_CAPABILITIES_EXPAND_CPU_FEATURES (RHEL-178822)
- Introduce VIR_CONNECT_GET_DOMAIN_CAPABILITIES_SUPPORTED_CPU_FEATURES flag (RHEL-178822)
- virsh: Add --supported-cpu-features option for domcapabilities (RHEL-178822)
- domaincapstest: Test SUPPORTED_CPU_FEATURES flag (RHEL-178822)
- qemu_capabilities: Fix domain capabilities on AMD CPUs (RHEL-178822)
- distro: Replace old gating with tmt

[11.10.0-12.2.el9_8]
- Introduce EXPAND_CPU_FEATURES flag for domain capabilities (RHEL-154552)
- qemu: Implement VIR_CONNECT_GET_DOMAIN_CAPABILITIES_EXPAND_CPU_FEATURES (RHEL-154552)
- virsh: Add --expand-cpu-features option for domcapabilities (RHEL-154552)
- docs: Clarify host-model description in domain capabilities (RHEL-154552)
- security_apparmor: Use g_auto* in AppArmorSetSecurityHostdevLabel (RHEL-159913)
- security: Cleanup hostdev label error logic (RHEL-159913)
- qemu: Fix IOMMUFD and VFIO security labels (RHEL-159913)
- viriommufd: Set IOMMU_OPTION_RLIMIT_MODE only when running privileged (RHEL-159174)
- conf: Move and rename virStorageSourceFDTuple object (RHEL-159174)
- conf: Refactor virHostdevIsPCIDevice (RHEL-159174)
- hypervisor: Fix virHostdevNeedsVFIO detection (RHEL-159174)
- qemu: Expand call to qemuDomainNeedsVFIO (RHEL-159174)
- qemu: Update qemuDomainNeedsVFIO to ignore PCI hostdev with IOMMUFD (RHEL-159174)
- src: Use virHostdevIsPCIDeviceWith* to check for IOMMUFD (RHEL-159174)
- conf: Introduce domain iommufd element (RHEL-159174)
- qemu: Implement iommufd (RHEL-159174)
- conf: Add iommufd fdgroup support (RHEL-159174)
- qemu: Implement iommufd fdgroup (RHEL-159174)
- tests: Add iommufd fdgroup test (RHEL-159174)
- hypervisor: Call virWaitForDevices() after detaching host devices (RHEL-159174)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2026-18748.html

Plugin Details

Severity: Medium

ID: 324334

File Name: oraclelinux_ELSA-2026-18748.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/1/2026

Updated: 7/1/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.41

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2025-12748

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:libvirt-daemon-config-nwfilter, p-cpe:/a:oracle:linux:libvirt-daemon-plugin-lockd, p-cpe:/a:oracle:linux:libvirt-daemon-common, p-cpe:/a:oracle:linux:libvirt-daemon-driver-network, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-disk, p-cpe:/a:oracle:linux:libvirt-daemon-kvm, cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-scsi, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-mpath, p-cpe:/a:oracle:linux:libvirt-nss, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-core, p-cpe:/a:oracle:linux:libvirt-daemon-lock, p-cpe:/a:oracle:linux:libvirt-daemon-driver-nodedev, p-cpe:/a:oracle:linux:libvirt-daemon-driver-nwfilter, p-cpe:/a:oracle:linux:libvirt, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage, p-cpe:/a:oracle:linux:libvirt-daemon-plugin-sanlock, p-cpe:/a:oracle:linux:libvirt-ssh-proxy, p-cpe:/a:oracle:linux:libvirt-devel, p-cpe:/a:oracle:linux:libvirt-docs, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-rbd, p-cpe:/a:oracle:linux:libvirt-daemon-driver-interface, p-cpe:/a:oracle:linux:libvirt-daemon-driver-secret, p-cpe:/a:oracle:linux:libvirt-libs, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi, p-cpe:/a:oracle:linux:libvirt-client, p-cpe:/a:oracle:linux:libvirt-daemon-config-network, p-cpe:/a:oracle:linux:libvirt-daemon-driver-qemu, p-cpe:/a:oracle:linux:libvirt-daemon-log, p-cpe:/a:oracle:linux:libvirt-client-qemu, p-cpe:/a:oracle:linux:libvirt-daemon, p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-logical, p-cpe:/a:oracle:linux:libvirt-daemon-proxy

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 11/11/2025

Reference Information

CVE: CVE-2025-12748

IAVA: 2025-A-0839-S