CVE-2020-24165 — Use After Free in Qemu

CWE-416 — Use After Free10 documents7 sources

Severity

8.8HIGHNVD

OSV3.2

EPSS

0.4%

top 37.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Linux

Timeline

PublishedAug 28

Latest updateJun 6

Description

An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages3 packages

▶Debianqemu/qemu< 1:5.0-1+3

▶Ubuntuqemu/qemu< 1:4.2-3ubuntu6.28+3

▶NVDqemu/qemu4.2.0

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

qemu regression↗2024-06-06

▶

OSV

qemu vulnerabilities↗2024-01-08

▶

OSV

CVE-2020-24165: An issue was discovered in TCG Accelerator in QEMU 4↗2023-08-28

▶

GHSA

GHSA-xc5f-ww2c-46pr: An issue was discovered in TCG Accelerator in QEMU 4↗2023-08-28

▶

CVEList

CVE-2020-24165: An issue was discovered in TCG Accelerator in QEMU 4↗2023-08-28

▶

📋Vendor Advisories

Ubuntu

QEMU regression↗2024-06-06

▶

Ubuntu

QEMU vulnerabilities↗2024-01-08

▶

Red Hat

QEMU: use-after-free in TCG accelerator can lead to local privilege escalation↗2023-08-28

▶

Debian

CVE-2020-24165: qemu - An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers...↗2020

▶