CVE-2021-3559Improper Restriction of Operations within the Bounds of a Memory Buffer in Redhat Libvirt

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 41.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Libvirt
Timeline
PublishedMay 24
Latest updateMay 24

Description

A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDredhat/libvirt6.10.07.0.0
Ubunturedhat/libvirt< 4.0.0-1ubuntu8.19+1
CVEListV5redhat/libvirtlibvirt 7.0.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-4236-36gg-25m7: A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 72022-05-24
OSV
CVE-2021-3559: A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 72021-05-24
CVEList
CVE-2021-3559: A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 72021-05-24

📋Vendor Advisories

2
Debian
CVE-2021-3559: libvirt - A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions ...2021
Red Hat
libvirt: nodedev-list command may cause libvirt to crash on hosts with GRID driver installed2020-12-02