QEMU qemu-img Vulnerability: Memory or CPU Consumption Denial of Service

CVE-2024-4467

7.8HIGH

Key Information

Vendor: Red Hat
Status: Advanced Virtualization For Rhel 8.2.1; Advanced Virtualization For Rhel 8.4.0.eus; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Vendor: CVE Published:; 2 July 2024

Summary

A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

Affected Version(s)

Advanced Virtualization for RHEL 8.2.1 <= 8020120240708124623.863bb0db

Advanced Virtualization for RHEL 8.4.0.EUS <= 8040020240708093550.522a0ee4

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 7.8 - (HIGH)
Jul 23, 2024
Vulnerability published.
Jul 2, 2024
Reported to Red Hat.
May 2, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Martin Kaesberger for reporting this issue.