CVE-2024-4418 — Return of Stack Variable Address in Libvirt

CWE-562 — Return of Stack Variable Address CWE-416 — Use After Free7 documents7 sources

Severity

6.2MEDIUMNVD

EPSS

0.5%

top 32.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Libvirt Debian Libvirt Msrc Azl3 Libvirt 10.0.0-5 ON Azure Linux 3.0 +3 more

Timeline

PublishedMay 8

Latest updateMay 14

Description

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access con…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages6 packages

▶debiandebian/libvirt< libvirt 10.3.0-1 (forky)

▶Debianredhat/libvirt< 10.3.0-1+1

▶msrcmsrc/azl3_libvirt_10.0.0-5_on_azure_linux_3.0

▶msrcmsrc/cbl2_libvirt_7.10.0-10_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_2.0_arm

🔴Vulnerability Details

OSV

CVE-2024-4418: A race condition leading to a stack use-after-free flaw was found in libvirt↗2024-05-08

▶

GHSA

GHSA-q262-3hfr-f5q4: A race condition leading to a stack use-after-free flaw was found in libvirt↗2024-05-08

▶

📋Vendor Advisories

Microsoft

Libvirt: stack use-after-free in virnetclientioeventloop()↗2024-05-14

▶

Ubuntu

libvirt vulnerability↗2024-05-07

▶

Red Hat

libvirt: stack use-after-free in virNetClientIOEventLoop()↗2024-05-02

▶

Debian

CVE-2024-4418: libvirt - A race condition leading to a stack use-after-free flaw was found in libvirt. Du...↗2024

▶