Lucene search

K
ubuntucveUbuntu.comUB:CVE-2024-4418
HistoryMay 05, 2024 - 12:00 a.m.

CVE-2024-4418

2024-05-0500:00:00
ubuntu.com
ubuntu.com
12
libvirt
stack use-after-free
access control
virtproxyd
local user
remote user
authentication
race condition
noble
higher
unix

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

High

EPSS

0

Percentile

16.3%

A race condition leading to a stack use-after-free flaw was found in
libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method,
the data pointer to a stack-allocated virNetClientIOEventData structure
ended up being used in the virNetClientIOEventFD callback while the data
pointer’s stack frame was concurrently being “freed” when returning from
virNetClientIOEventLoop(). The ‘virtproxyd’ daemon can be used to trigger
requests. If libvirt is configured with fine-grained access control, this
issue, in theory, allows a user to escape their otherwise limited access.
This flaw allows a local, unprivileged user to access virtproxyd without
authenticating. Remote users would need to authenticate before they could
access it.

Bugs

Notes

Author Note
mdeslaur This issue is probably introduced by: https://gitlab.com/libvirt/libvirt/-/commit/7cb03e6a28e465c49f0cabe8fe2e7d21edb5aadf so only noble and higher are affected.
OSVersionArchitecturePackageVersionFilename
ubuntu24.04noarchlibvirt< 10.0.0-2ubuntu8.2UNKNOWN

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.2

Confidence

High

EPSS

0

Percentile

16.3%