CVE-2024-3446 — Double Free in Qemu

CWE-415 — Double Free7 documents6 sources

Severity

8.2HIGHNVD

EPSS

0.1%

top 67.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu

Timeline

PublishedApr 9

Latest updateSep 11

Description

A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0

Affected Packages3 packages

▶debiandebian/qemu< qemu 1:7.2+dfsg-7+deb12u6 (bookworm)

▶Debianqemu/qemu< 1:7.2+dfsg-7+deb12u6+2

▶Ubuntuqemu/qemu< 1:6.2+dfsg-2ubuntu6.27+1

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2025-09-11

▶

OSV

CVE-2024-3446: A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insuf↗2024-04-09

▶

GHSA

GHSA-rgvf-j3x5-6277: A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insuf↗2024-04-09

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2025-09-11

▶

Red Hat

QEMU: virtio: DMA reentrancy issue leads to double free vulnerability↗2024-04-04

▶

Debian

CVE-2024-3446: qemu - A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio...↗2024

▶