A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the data pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointers stack frame was concurrently being freed when returning from virNetClientIOEventLoop(). The virtproxyd daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | RedHat | virt-devel:rhel-8100020240606142719.489197e6 | * |
| Red Hat Enterprise Linux 8 | RedHat | virt:rhel-8100020240606142719.489197e6 | * |
| Red Hat Enterprise Linux 9 | RedHat | libvirt-0:10.0.0-6.6.el9_4 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | libvirt-0:9.0.0-10.7.el9_2 | * |
| Libvirt | Ubuntu | devel | * |
| Libvirt | Ubuntu | noble | * |
| Libvirt | Ubuntu | oracular | * |