What is the severity of REDHAT-BUG-2254580?

The severity of REDHAT-BUG-2254580 is considered critical due to the potential for remote code execution through stack-based buffer overflow.

How do I fix REDHAT-BUG-2254580?

To fix REDHAT-BUG-2254580, update the QEMU package to the latest version that has addressed this vulnerability.

What systems are affected by REDHAT-BUG-2254580?

The systems affected by REDHAT-BUG-2254580 include any installations of QEMU that utilize the virtio-net device with specific guest features enabled.

What causes the vulnerability in REDHAT-BUG-2254580?

The vulnerability in REDHAT-BUG-2254580 is caused by a stack-based buffer overflow occurring in the virtio_net_flush_tx function when handling certain guest features.

Is there a workaround for REDHAT-BUG-2254580 until I can apply a fix?

Yes, a possible workaround for REDHAT-BUG-2254580 is to disable the affected features on the virtio-net device if feasible.

Vulnerability/
REDHAT-BUG-2254580

medium

CWE

119

14/12/2023

22/5/2024

REDHAT-BUG-2254580: Buffer Overflow

First published: Thu Dec 14 2023(Updated: )

A stack based buffer overflow was found in the virtio-net device of QEMU. The flaw occurs while copying data to mhdr, a local variable of type virtio_net_hdr_mrg_rxbuf, when flushing TX in the virtio_net_flush_tx function. If guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled, `n->guest_hdr_len` is set to sizeof(struct virtio_net_hdr_v1_hash), which is bigger than sizeof(virtio_net_hdr_mrg_rxbuf). This vulnerability could potentially allow a malicious user to overwrite local variables adjacent to mhdr allocated on the stack. Specifically, the out_sg variable could be used to read some part of process memory and send it to the wire: ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), out_sg, out_num, virtio_net_tx_complete);

Affected Software	Affected Version	How to fix
QEMU

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of REDHAT-BUG-2254580?
The severity of REDHAT-BUG-2254580 is considered critical due to the potential for remote code execution through stack-based buffer overflow.
How do I fix REDHAT-BUG-2254580?
To fix REDHAT-BUG-2254580, update the QEMU package to the latest version that has addressed this vulnerability.
What systems are affected by REDHAT-BUG-2254580?
The systems affected by REDHAT-BUG-2254580 include any installations of QEMU that utilize the virtio-net device with specific guest features enabled.
What causes the vulnerability in REDHAT-BUG-2254580?
The vulnerability in REDHAT-BUG-2254580 is caused by a stack-based buffer overflow occurring in the virtio_net_flush_tx function when handling certain guest features.
Is there a workaround for REDHAT-BUG-2254580 until I can apply a fix?
Yes, a possible workaround for REDHAT-BUG-2254580 is to disable the affected features on the virtio-net device if feasible.

agent/type
agent/first-publish-date
agent/weakness
agent/severity
agent/event
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-6693
agent/references
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/qemu
canonical/qemu

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.