REDHAT-BUG-2278616: Use After Free
First published: Thu May 02 2024(Updated: )
A race condition leading to a stack use-after-free bug was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). Quoting libvirt maintainer Daniel P. Berrangé: The 'virtproxyd' daemon can be used to trigger requests which could potentially exercise the bug. If libvirt is configured with fine grained access control, this could in theory let a user escape their otherwise limited access. A local unprivileged user can access virtproxyd without authenticating. Remote users would need to authenticate before they could exercise it.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libvirt |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2278618
- https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1
- https://access.redhat.com/errata/RHSA-2024:4351
- https://access.redhat.com/errata/RHSA-2024:4432
- https://access.redhat.com/errata/RHSA-2024:4757
- https://bugzilla.redhat.com/show_bug.cgi?id=2278616
- agent/weakness
- agent/severity
- agent/first-publish-date
- agent/description
- agent/type
- agent/event
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-4418
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/libvirt
- canonical/libvirt