Redhat Libvirt vulnerabilities

CVE-2025-13193 [MEDIUM] CVE-2025-13193: A flaw was found in libvirt A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability.

CVE-2025-12748 [MEDIUM] CVE-2025-12748: A flaw was discovered in libvirt in the XML file processing A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too much memory on the host. The excessive memory consumption could lead to a libvirt process crash on the

CVE-2024-8235 [MEDIUM] CWE-476 CVE-2024-8235: A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple API A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read

CVE-2024-4418 [MEDIUM] CVE-2024-4418: A race condition leading to a stack use-after-free flaw was found in libvirt A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoo

CVE-2024-1441 [MEDIUM] libvirt vulnerabilities libvirt vulnerabilities Alexander Kuznetsov discovered that libvirt incorrectly handled certain API calls. An attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2024-1441) It was discovered that libvirt incorrectly handled certain RPC library API calls. An attacker could possibly use this issue to cause libvirt to crash, resulting in a denial of service. (CVE-2024-2494) It was discovered that

CVE-2024-2494 [MEDIUM] CVE-2024-2494: A flaw was found in the RPC library APIs of libvirt A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attac

CVE-2024-2496 [MEDIUM] CWE-476 CVE-2024-2496: A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2023-3750 [MEDIUM] CVE-2023-3750: A flaw was found in libvirt A flaw was found in libvirt. The virStoragePoolObjListSearch function does not return a locked pool as expected, resulting in a race condition and denial of service when attempting to lock the same object from another thread. This issue could allow clients connecting to the read-only socket to crash the libvirt daemon.

CVE-2023-2700 [MEDIUM] CWE-401 CVE-2023-2700: A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IO A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup.

CVE-2021-3975 [MEDIUM] CWE-416 CVE-2021-3975: A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandl A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection co

CVE-2022-0897 [MEDIUM] CWE-667 CVE-2022-0897: A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit thi

CVE-2021-4147 [MEDIUM] CWE-667 CVE-2021-4147: A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition.

CVE-2021-3667 [MEDIUM] CWE-667 CVE-2021-3667: An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occur An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock

CVE-2021-3631 [MEDIUM] CWE-732 CVE-2021-3631: A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. T A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.

CVE-2020-10701 [MEDIUM] CWE-862 CVE-2020-10701: A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent re A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the ag

CVE-2020-14301 [MEDIUM] CWE-212 CVE-2020-14301: An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.

CVE-2021-3559 [MEDIUM] CWE-119 CVE-2021-3559: A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It onl A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The

CVE-2020-14339 [HIGH] CWE-772 CVE-2020-14339: A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QE A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing seriou

CVE-2020-25637 [MEDIUM] CWE-415 CVE-2020-25637: A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsi A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash t

CVE-2020-15708 [HIGH] CVE-2020-15708: Ubuntu's packaging of libvirt in 20 Ubuntu's packaging of libvirt in 20.04 LTS created a control socket with world read and write permissions. An attacker could use this to overwrite arbitrary files or execute arbitrary code.