Time-of-Check to Time-of-Use Race Condition in FreeBSD Bhyve Virtual Machine Monitor
CVE-2024-51563

6.5MEDIUM

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 12 November 2024

What is CVE-2024-51563?

A vulnerability exists in the virtio_vq_recordon function of the FreeBSD Bhyve virtual machine monitor. This flaw is characterized by a time-of-check to time-of-use (TOCTOU) race condition, which may be exploited in scenarios where an attacker can manipulate the timing between operations, potentially leading to unexpected behavior. Systems utilizing Bhyve for virtualization could be at risk of integrity violations, making it essential for administrators to ensure their environments are properly secured against such timing attacks.

Affected Version(s)

FreeBSD 14.1-RELEASE

FreeBSD 13.4-RELEASE

FreeBSD 13.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-24:17....

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2024

JSON