66 matches found
CVE-2024-43102 umtx Kernel panic or Use-After-Free
Concurrent removals of certain anonymous shared memory mappings by using the UMTXSHMDESTROY sub-request of UMTXOPSHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTXSHMDESTROY...
CVE-2024-32668 bhyve(8) privileged guest escape via USB controller
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, whic...
CVE-2024-32668 bhyve(8) privileged guest escape via USB controller
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, whic...
CVE-2024-45063 Multiple issues in ctl(4) CAM Target Layer
The function ctlwritebuffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Malicious software running in a guest VM that exposes virtioscsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process,...
CVE-2024-45063
The CVE-2024-45063 issue affects FreeBSD ctl(4) CAM Target Layer. The root cause is that ctl_write_buffer incorrectly sets a flag, causing a kernel Use-After-Free when a command finishes processing. The advisory describes guest VMs exposing virtio_scsi accessing the kernel via bhyve, enabling cod...
CVE-2024-42416 Multiple issues in ctl(4) CAM Target Layer
The ctlreportsupportedopcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtioscsi can exploit the vulnerabilities to achieve code execution on...
CVE-2024-42416
CVE-2024-42416 affects FreeBSD ctl(4) CAM Target Layer: ctl_report_supported_opcodes did not properly validate a field from userspace, enabling an arbitrary write into limited kernel help memory. Impact: guest VMs using virtio_scsi can abuse this to execute code on the host bhyve process (root), ...
CVE-2024-42416 Multiple issues in ctl(4) CAM Target Layer
The ctlreportsupportedopcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtioscsi can exploit the vulnerabilities to achieve code execution on...
CVE-2024-8178 Multiple issues in ctl(4) CAM Target Layer
The ctlwritebuffer and ctlreadbuffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtioscsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which...
CVE-2024-8178 Multiple issues in ctl(4) CAM Target Layer
The ctlwritebuffer and ctlreadbuffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtioscsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which...
CVE-2024-8178
CVE-2024-8178 affects the FreeBSD ctl subsystem (ctl_write_buffer and ctl_read_buffer) where memory allocated for return to userspace was not initialized, enabling abuse via virtio_scsi in guest VMs. Exploitation could allow code execution on the host bhyve process (typically running as root), wi...
CVE-2024-41928
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve...
CVE-2024-41928 bhyve(8) privileged guest escape via TPM device passthrough
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve...
CVE-2024-41928 bhyve(8) privileged guest escape via TPM device passthrough
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve...
PT-2024-5986
Name of the Vulnerable Software and Affected Versions: FreeBSD affected versions not specified NetApp ONTAP 9 formerly Clustered Data ONTAP PlayStation 5 versions prior to 7.61 Description: A use-after-free vulnerability exists in the umtx op system call within FreeBSD. This vulnerability arises...
PT-2024-8610 · Bhyve +1 · Bhyve +1
Name of the Vulnerable Software and Affected Versions: bhyve affected versions not specified Description: The issue is related to the ctl report supported opcodes function, which did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel...
PT-2024-29640 · Bhyve +1 · Bhyve +1
Name of the Vulnerable Software and Affected Versions: bhyve affected versions not specified Description: Malicious software running in a guest VM can exploit a buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. The bhyve process ru...
FreeBSD -- umtx Kernel panic or Use-After-Free
Problem Description: Concurrent removals of such a mapping by using the UMTXSHMDESTROY sub-request of UMTXOPSHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. Impact: A malicious code exercizing the UMTXSHMDESTRO...
FreeBSD -- bhyve(8) privileged guest escape via USB controller
Problem Description: bhyve can be configured to emulate devices on a virtual USB controller XHCI, such as USB tablet devices. An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. Impact: A malicious, privileged...
PT-2024-8702 · Bhyve +1 · Bhyve +1
Name of the Vulnerable Software and Affected Versions: bhyve affected versions not specified Description: The issue is related to an insufficient boundary validation in the USB code, which could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privilege...