CVE-2024-6505

2024-07-0500:00:00

ubuntu.com

virtio-net

qemu

rss

heap overflow

debian

bug

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

AI Score

6.2

Confidence

High

JSON

A flaw was found in the virtio-net device in QEMU. When enabling the RSS
feature on the virtio-net network card, the indirections_table data within
RSS becomes controllable. Setting excessively large values may cause an
index out-of-bounds issue, potentially resulting in heap overflow access.
This flaw allows a privileged user in the guest to crash the QEMU process
on the host.

Bugs

Notes

Author	Note
mdeslaur	no details as of 2024-07-24

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchqemu< anyUNKNOWN
ubuntu20.04noarchqemu< anyUNKNOWN
ubuntu22.04noarchqemu< anyUNKNOWN
ubuntu24.04noarchqemu< anyUNKNOWN
ubuntu14.04noarchqemu< anyUNKNOWN
ubuntu16.04noarchqemu< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	qemu	< any	UNKNOWN
ubuntu	20.04	noarch	qemu	< any	UNKNOWN
ubuntu	22.04	noarch	qemu	< any	UNKNOWN
ubuntu	24.04	noarch	qemu	< any	UNKNOWN
ubuntu	14.04	noarch	qemu	< any	UNKNOWN
ubuntu	16.04	noarch	qemu	< any	UNKNOWN