A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | RedHat | virt-devel:rhel-8100020240409073027.489197e6 | * |
| Red Hat Enterprise Linux 8 | RedHat | virt:rhel-8100020240409073027.489197e6 | * |
| Red Hat Enterprise Linux 9 | RedHat | libvirt-0:10.0.0-6.2.el9_4 | * |
| Libvirt | Ubuntu | devel | * |
| Libvirt | Ubuntu | focal | * |
| Libvirt | Ubuntu | jammy | * |
| Libvirt | Ubuntu | mantic | * |
| Libvirt | Ubuntu | noble | * |
| Libvirt | Ubuntu | oracular | * |
| Libvirt | Ubuntu | trusty/esm | * |