CVE-2024-3446

2024-04-0900:00:00

ubuntu.com

cve-2024-3446

qemu

virtio devices

dma reentrancy

denial of service

arbitrary code execution

unix

8.2 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

A double free vulnerability was found in QEMU virtio devices (virtio-gpu,
virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag
insufficiently protects against DMA reentrancy issues. This issue could
allow a malicious privileged guest user to crash the QEMU process on the
host, resulting in a denial of service or allow arbitrary code execution
within the context of the QEMU process on the host.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchqemu< anyUNKNOWN
ubuntu20.04noarchqemu< anyUNKNOWN
ubuntu22.04noarchqemu< anyUNKNOWN
ubuntu23.10noarchqemu< anyUNKNOWN
ubuntu24.04noarchqemu< anyUNKNOWN
ubuntu14.04noarchqemu< anyUNKNOWN
ubuntu16.04noarchqemu< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	qemu	< any	UNKNOWN
ubuntu	20.04	noarch	qemu	< any	UNKNOWN
ubuntu	22.04	noarch	qemu	< any	UNKNOWN
ubuntu	23.10	noarch	qemu	< any	UNKNOWN
ubuntu	24.04	noarch	qemu	< any	UNKNOWN
ubuntu	14.04	noarch	qemu	< any	UNKNOWN
ubuntu	16.04	noarch	qemu	< any	UNKNOWN