CVE-2024-4467 — Out-of-bounds Write in Qemu

CWE-787 — Out-of-bounds Write CWE-400 — Uncontrolled Resource Consumption CWE-22 — Path Traversal9 documents7 sources

Severity

7.8HIGHNVD

OSV8.2

EPSS

0.1%

top 83.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qemu Debian Qemu Msrc Azl3 Qemu 8.2.0-14 ON Azure Linux 3.0 +2 more

Timeline

PublishedJul 2

Latest updateSep 11

Description

A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶debiandebian/qemu< qemu 1:7.2+dfsg-7+deb12u7 (bookworm)

▶Debianqemu/qemu< 1:7.2+dfsg-7+deb12u7+2

▶Ubuntuqemu/qemu< 1:6.2+dfsg-2ubuntu6.27+1

▶msrcmsrc/azl3_qemu_8.2.0-14_on_azure_linux_3.0

▶msrcmsrc/azl3_qemu_8.2.0-16_on_azure_linux_3.0

🔴Vulnerability Details

OSV

qemu vulnerabilities↗2025-09-11

▶

GHSA

GHSA-5cwv-6xqx-92m5: A flaw was found in the QEMU disk image utility (qemu-img) 'info' command↗2024-07-02

▶

OSV

CVE-2024-4467: A flaw was found in the QEMU disk image utility (qemu-img) 'info' command↗2024-07-02

▶

📋Vendor Advisories

Ubuntu

QEMU vulnerabilities↗2025-09-11

▶

Microsoft

Qemu-kvm: 'qemu-img info' leads to host file read/write↗2024-07-09

▶

Red Hat

OpenStack: malicious qcow2/vmdk images↗2024-07-02

▶

Red Hat

qemu-kvm: 'qemu-img info' leads to host file read/write↗2024-07-02

▶

Debian

CVE-2024-4467: qemu - A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A spe...↗2024

▶