CVE-2024-4418

EUVD-2024-44042

08.05.2024, 03:15

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.2 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Debian Releases

Debian Product

Codename

libvirt

bookworm	9.0.0-4+deb12u2 not-affected
bullseye	7.0.0-3+deb11u3 not-affected
buster	not-affected
forky	11.10.0-1 fixed
sid	11.10.0-1 fixed
trixie	11.3.0-3+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libvirt

bionic	not-affected
focal	not-affected
jammy	not-affected
mantic	not-affected
noble	Fixed 10.0.0-2ubuntu8.2 released
oracular	Fixed 10.0.0-2ubuntu8.2 released
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

libvirt

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-client

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-client-qemu

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-common

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-config-network

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-config-nwfilter

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-interface

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-libxl

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-network

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-nodedev

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-nwfilter

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-qemu

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-secret

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-core

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-disk

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-iscsi

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-iscsi-direct

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-logical

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-mpath

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-rbd

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-driver-storage-scsi

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-hooks

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-lock

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-log

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-plugin-lockd

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-plugin-sanlock

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-proxy

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-qemu

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-daemon-xen

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-devel

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-doc

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

libvirt-nss

suse enterprise sap 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise sap 15 SP7	11.0.0-150700.2.3 fixed
suse enterprise server 15 SP6	10.0.0-150600.8.3.1 fixed
suse enterprise server 15 SP7	11.0.0-150700.2.3 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

libvirt

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-client

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-client-qemu

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-common

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-config-network

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-config-nwfilter

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-interface

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-network

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-nodedev

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-nwfilter

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-qemu

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-secret

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-core

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-disk

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-iscsi

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-logical

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-mpath

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-rbd

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-driver-storage-scsi

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-kvm

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-lock

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-log

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-plugin-lockd

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-plugin-sanlock

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-daemon-proxy

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-devel

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-docs

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-libs

RHEL 9

0:10.0.0-6.6.el9_4

fixed

libvirt-nss

RHEL 9

0:10.0.0-6.6.el9_4

fixed

Common Weakness Enumeration

CWE-562 - Return of Stack Variable Address
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

References

https://access.redhat.com/errata/RHSA-2024:4351

https://access.redhat.com/errata/RHSA-2024:4432

https://access.redhat.com/errata/RHSA-2024:4757

https://access.redhat.com/security/cve/CVE-2024-4418

https://bugzilla.redhat.com/show_bug.cgi?id=2278616

https://access.redhat.com/errata/RHSA-2024:4351

https://access.redhat.com/errata/RHSA-2024:4432

https://access.redhat.com/errata/RHSA-2024:4757

https://access.redhat.com/security/cve/CVE-2024-4418

https://bugzilla.redhat.com/show_bug.cgi?id=2278616

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/

https://security.netapp.com/advisory/ntap-20250411-0002/