CVE Vulnerabilities

CVE-2024-4418

Use After Free

Published: May 08, 2024 | Modified: Apr 11, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.2 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the data pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointers stack frame was concurrently being freed when returning from virNetClientIOEventLoop(). The virtproxyd daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 8 RedHat virt-devel:rhel-8100020240606142719.489197e6 *
Red Hat Enterprise Linux 8 RedHat virt:rhel-8100020240606142719.489197e6 *
Red Hat Enterprise Linux 9 RedHat libvirt-0:10.0.0-6.6.el9_4 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat libvirt-0:9.0.0-10.7.el9_2 *
Libvirt Ubuntu devel *
Libvirt Ubuntu noble *
Libvirt Ubuntu oracular *

Potential Mitigations

References