CVE-2024-4418 : A race condition leading to a stack use-after-free flaw was found in libvirt. Du

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

Published 2024-05-08 03:15:07

Updated 2025-04-11 22:15:29

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2024-4418

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-4418

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 39 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-4418

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.2	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	2.5	3.6	Red Hat, Inc.	2024-05-08
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
6.2	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	N/A	N/A	RedHat-CVE-2024-4418	2024-05-02
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2024-4418

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2024-4418

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4ZQBAJVHIZMCZNTRPUW3ZKXRKLXRQZU/

[SECURITY] Fedora 39 Update: libvirt-9.7.0-4.fc39 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2024:4351

RHSA-2024:4351 - Security Advisory - Red Hat Customer Portal
https://bugzilla.redhat.com/show_bug.cgi?id=2278616

2278616 – (CVE-2024-4418) CVE-2024-4418 libvirt: stack use-after-free in virNetClientIOEventLoop()
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4IE44UIIC3QWBFRB4EUSFNLJBU6JLNSD/

[SECURITY] Fedora 40 Update: libvirt-10.1.0-2.fc40 - package-announce - Fedora Mailing-Lists
https://security.netapp.com/advisory/ntap-20250411-0002/
https://access.redhat.com/errata/RHSA-2024:4757

RHSA-2024:4757 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2024:4432

RHSA-2024:4432 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2024-4418

CVE-2024-4418- Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2024-4418

Products affected by CVE-2024-4418

Exploit prediction scoring system (EPSS) score for CVE-2024-4418

CVSS scores for CVE-2024-4418

CWE ids for CVE-2024-4418

References for CVE-2024-4418