libvirt is vulnerable to arbitrary code execution. The virConnectBaselineHypervisorCPU()
and virConnectCompareHypervisorCPU()
in libvirt APIs accept an “emulator” argument to specify the program providing emulation for a domain and libvirt will execute that program to probe the domain’s capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.