Medium: libvirt

Issue Overview: A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt...

EUVD-2025-197850

A flaw was found in libvirt. External inactive snapshots for shut-down VMs are incorrectly created as world-readable, making it possible for unprivileged users to inspect the guest OS contents. This results in an information disclosure vulnerability...

EUVD-2021-26870

Malware in sbrugna...

EUVD-2020-6485

Malware in sbrugna...

EUVD-2024-27443

Malicious code in bioql PyPI...

EUVD-2024-49040

Malicious code in bioql PyPI...

EUVD-2023-44385

Malicious code in bioql PyPI...

EUVD-2024-44042

Malicious code in bioql PyPI...

EUVD-2024-27445

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2016-10746

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to...

TencentOS Server 3: libvirt (TSSA-2022:0264)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2022:0264 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

Linux Distros Unpatched Vulnerability : CVE-2021-3631

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled...

Linux Distros Unpatched Vulnerability : CVE-2023-2700

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak cause...

Linux Distros Unpatched Vulnerability : CVE-2020-14339

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in libvirt, where it leaked a file descriptor for /dev/mapper/control into the QEMU process. This file descriptor allows for privileged...

Linux Distros Unpatched Vulnerability : CVE-2020-14301

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dum...

libvirt: stack use-after-free in virNetClientIOEventLoop()

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop method, the data pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's...

SUSE CVE-2024-2494

A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the gnew0 function results in a crash due to the negative length being...

CVE-2023-3750

A flaw was found in libvirt. The virStoragePoolObjListSearch function does not return a locked pool as expected, resulting in a race condition and denial of service when attempting to lock the same object from another thread. This issue could allow clients connecting to the read-only socket to...

A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

...

UBUNTU-CVE-2021-3631

A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality a...