CVE-2024-8354

EUVD-2024-49120
A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
redhatCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Affected Products (NVD)
VendorProductVersion
qemuqemu
-
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
qemu
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
1:10.1.2+ds-3
fixed
sid
1:10.2.0+ds-1
fixed
trixie
no-dsa
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
qemu
bionic
needed
focal
needed
jammy
needed
noble
needed
oracular
ignored
plucky
needed
questing
needed
trusty
needed
xenial
needed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2024-8354
https://bugzilla.redhat.com/show_bug.cgi?id=2313497
https://security.netapp.com/advisory/ntap-20241011-0008/