CVE-2025-54566: 
Wolfi vulnerability analysis and mitigation

A migration state inconsistency vulnerability was discovered in QEMU through version 10.0.3, specifically within the hw/pci/pcie_sriov.c component. The vulnerability was assigned CVE-2025-54566 and was publicly disclosed on July 24, 2025. This security flaw is related to CVE-2024-26327 and affects the PCI-E SR-IOV emulation code (NVD, Debian Tracker).

The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L. The flaw is categorized under CWE-642 (External Control of Critical State Data). The issue was introduced in QEMU version 10.0.0-rc0 through two specific commits (Red Hat CVE, Debian Tracker).

The vulnerability can result in unexpected behavior and potential resource exhaustion, leading to denial of service conditions. The impact is particularly relevant during migration processes where state mismatches can occur (Red Hat CVE).

According to Red Hat, mitigation options are either not available or do not meet their Product Security criteria for ease of use, deployment, and stability. Several versions of Red Hat Enterprise Linux (6, 7, 8, and 9) are not affected by this vulnerability, while RHEL 10 has a fix deferred status (Red Hat CVE).