CVE-2020-25653 — Race Condition in Spice-vdagent
Severity
6.3MEDIUMNVD
OSV5.5
EPSS
0.1%
top 70.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 26
Latest updateMay 24
Description
A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.
CVSS vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.0 | Impact: 5.2
Affected Packages8 packages
Also affects: Debian Linux 9.0, Fedora 32, 33
Patches
🔴Vulnerability Details
3📋Vendor Advisories
4Microsoft▶
A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-↗2020-11-10
Red Hat▶
spice-vdagent: UNIX domain socket peer PID retrieved via SO_PEERCRED is subject to race condition↗2020-11-03
Debian▶
CVE-2020-25653: spice-vdagent - A race condition vulnerability was found in the way the spice-vdagentd daemon ha...↗2020