{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-4418", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-05-02T10:52:32.129Z", "datePublished": "2024-05-08T03:03:05.135Z", "dateUpdated": "2025-11-08T07:13:49.167Z"}, "containers": {"cna": {"title": "Libvirt: stack use-after-free in virnetclientioeventloop()", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "10.4.0", "versionType": "semver"}], "packageName": "libvirt", "collectionURL": "https://gitlab.com/libvirt/libvirt", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240606142719.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240606142719.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libvirt", "defaultStatus": "affected", "versions": [{"version": "0:10.0.0-6.6.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/a:redhat:enterprise_linux:9::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libvirt", "defaultStatus": "affected", "versions": [{"version": "0:9.0.0-10.7.el9_2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.2::crb", "cpe:/a:redhat:rhel_eus:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libvirt", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libvirt", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:av/libvirt", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4351", "name": "RHSA-2024:4351", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4432", "name": "RHSA-2024:4432", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4757", "name": "RHSA-2024:4757", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-4418", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616", "name": "RHBZ#2278616", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-05-02T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "Use After Free", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-362->CWE-416: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Use After Free", "timeline": [{"lang": "en", "time": "2024-05-02T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-05-02T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Martin \u0160irokov for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-08T07:13:49.167Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-08T15:25:15.415508Z", "id": "CVE-2024-4418", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T14:40:57.023Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4351", "name": "RHSA-2024:4351", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4432", "name": "RHSA-2024:4432", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4757", "name": "RHSA-2024:4757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-4418", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616", "name": "RHBZ#2278616", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20250411-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-11T22:03:18.932Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4351", "name": "RHSA-2024:4351", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4432", "name": "RHSA-2024:4432", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4757", "name": "RHSA-2024:4757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-4418", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616", "name": "RHBZ#2278616", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20250411-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-11T22:03:18.932Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4418", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-08T15:25:15.415508Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-08T15:25:28.592Z"}}], "cna": {"title": "Libvirt: stack use-after-free in virnetclientioeventloop()", "credits": [{"lang": "en", "value": "Red Hat would like to thank Martin \u0160irokov for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "10.4.0", "versionType": "semver"}], "packageName": "libvirt", "collectionURL": "https://gitlab.com/libvirt/libvirt", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240606142719.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt-devel:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240606142719.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/a:redhat:enterprise_linux:9::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:10.0.0-6.6.el9_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "libvirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.2::crb", "cpe:/a:redhat:rhel_eus:9.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:9.0.0-10.7.el9_2", "lessThan": "*", "versionType": "rpm"}], "packageName": "libvirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "libvirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "libvirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt:av/libvirt", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-05-02T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-05-02T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-05-02T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:4351", "name": "RHSA-2024:4351", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4432", "name": "RHSA-2024:4432", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:4757", "name": "RHSA-2024:4757", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-4418", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616", "name": "RHBZ#2278616", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "Use After Free"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-08T07:13:49.167Z"}, "x_redhatCweChain": "CWE-362->CWE-416: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Use After Free"}}, "cveMetadata": {"cveId": "CVE-2024-4418", "state": "PUBLISHED", "dateUpdated": "2025-11-08T07:13:49.167Z", "dateReserved": "2024-05-02T10:52:32.129Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-05-08T03:03:05.135Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it."}, {"lang": "es", "value": "Se encontr\u00f3 en libvirt una condici\u00f3n de ejecuci\u00f3n que conduc\u00eda a una falla de use-after-free de la pila. Debido a una mala suposici\u00f3n en el m\u00e9todo virNetClientIOEventLoop(), el puntero de `datos` a una estructura virNetClientIOEventData asignada a la pila termin\u00f3 us\u00e1ndose en la devoluci\u00f3n de llamada de virNetClientIOEventFD mientras el marco de pila del puntero de datos se \"liberaba\" simult\u00e1neamente al regresar de virNetClientIOEventLoop() . El daemon 'virtproxyd' se puede utilizar para activar solicitudes. Si libvirt est\u00e1 configurado con un control de acceso detallado, este problema, en teor\u00eda, permite al usuario escapar de su acceso, que de otro modo ser\u00eda limitado. Esta falla permite que un usuario local sin privilegios acceda a virtproxyd sin autenticarse. Los usuarios remotos tendr\u00edan que autenticarse antes de poder acceder a \u00e9l."}], "id": "CVE-2024-4418", "lastModified": "2025-04-11T22:15:29.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-05-08T03:15:07.203", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4351"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4432"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:4757"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-4418"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4351"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4432"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:4757"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/security/cve/CVE-2024-4418"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250411-0002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Martin \u0160irokov for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:4351", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt-devel:rhel-8100020240606142719.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4351", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8100020240606142719.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4757", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libvirt-0:10.0.0-6.6.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-07-23T00:00:00Z"}, {"advisory": "RHSA-2024:4432", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "libvirt-0:9.0.0-10.7.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-09T00:00:00Z"}], "bugzilla": {"description": "libvirt: stack use-after-free in virNetClientIOEventLoop()", "id": "2278616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278616"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-362->CWE-416", "details": ["A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.", "A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being \"freed\" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it."], "name": "CVE-2024-4418", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libvirt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt:av/libvirt", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}], "public_date": "2024-05-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-4418\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4418"], "threat_severity": "Moderate"}

{}