Debian Libvirt vulnerabilities

CVE-2025-12748 [MEDIUM] CVE-2025-12748: libvirt - A flaw was discovered in libvirt in the XML file processing. More specifically, ... A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead

CVE-2025-13193 [MEDIUM] CVE-2025-13193: libvirt - A flaw was found in libvirt. External inactive snapshots for shut-down VMs are i... A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 11.10.0-1) sid: resolved (fixed in 11.

CVE-2024-2496 [MEDIUM] CVE-2024-2496: libvirt - A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() ... A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash. Scope: local bookw

CVE-2024-2494 [MEDIUM] CVE-2024-2494: libvirt - A flaw was found in the RPC library APIs of libvirt. The RPC server deserializat... A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged

CVE-2024-1441 [MEDIUM] CVE-2024-1441: libvirt - An off-by-one error flaw was found in the udevListInterfacesByStatus() function ... An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash. Scope: local

CVE-2024-8235 [MEDIUM] CVE-2024-8235: libvirt - A flaw was found in libvirt. A refactor of the code fetching the list of interfa... A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to

CVE-2024-4418 [MEDIUM] CVE-2024-4418: libvirt - A race condition leading to a stack use-after-free flaw was found in libvirt. Du... A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNe

CVE-2023-2700 [MEDIUM] CVE-2023-2700: libvirt - A vulnerability was found in libvirt. This security flaw ouccers due to repeated... A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup. Scope: local bookworm: resolved (fixed in 9.0.0-4) bullseye: resolved forky: resolved (fixed in 9.0.0-4) si

CVE-2023-3750 [MEDIUM] CVE-2023-3750: libvirt - A flaw was found in libvirt. The virStoragePoolObjListSearch function does not r... A flaw was found in libvirt. The virStoragePoolObjListSearch function does not return a locked pool as expected, resulting in a race condition and denial of service when attempting to lock the same object from another thread. This issue could allow clients connecting to the read-only socket to crash the libvirt daemon. Scope: local bookworm: resolved (fixed in 9.0.0

CVE-2022-0897 [MEDIUM] CVE-2022-0897: libvirt - A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFi... A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via li

CVE-2021-3667 [MEDIUM] CVE-2021-3667: libvirt - An improper locking issue was found in the virStoragePoolLookupByTargetPath API ... An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent oth

CVE-2021-3975 [MEDIUM] CVE-2021-3975: libvirt - A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function... A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this fl

CVE-2021-4147 [MEDIUM] CVE-2021-4147: libvirt - A flaw was found in the libvirt libxl driver. A malicious guest could continuous... A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. Scope: local bookworm: resolved (fixed in 7.10.0-2) bullseye: resolved (fixed in 7.0.0-3+deb11u3) forky: resolved (fixed in 7.10.0-2) sid: resolved (fixed in 7.10.0-2) trixie

CVE-2021-3631 [MEDIUM] CVE-2021-3631: libvirt - A flaw was found in libvirt while it generates SELinux MCS category pairs for VM... A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity. Scope: local bookworm: resolved (fixed in 7.6.0-1) bullse

CVE-2021-3559 [MEDIUM] CVE-2021-3559: libvirt - A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions ... A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat

CVE-2020-14339 [HIGH] CVE-2020-14339: libvirt - A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/... A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the

CVE-2020-25637 [MEDIUM] CVE-2020-25637: libvirt - A double free memory issue was found to occur in the libvirt API, in versions be... A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daem

CVE-2020-10701 [MEDIUM] CVE-2020-10701: libvirt - A missing authorization flaw was found in the libvirt API responsible for changi... A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot resp

CVE-2020-10703 [MEDIUM] CVE-2020-10703: libvirt - A NULL pointer dereference was found in the libvirt API responsible introduced i... A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection co

CVE-2020-14301 [MEDIUM] CVE-2020-14301: libvirt - An information disclosure vulnerability was found in libvirt in versions before ... An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command. Scope: local bookworm: resolved bullseye: resolved fork