QEMU Flaw May Allow Guest User to Crash Host and Cause Denial of Service
CVE-2024-8354
5.5MEDIUM
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 8 Advanced Virtualization
- Vendor
- CVE Published:
- 19 September 2024
Summary
A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.
References
CVSS V3.1
Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Red Hat would like to thank Antoine "Gravis" Assier de Pompignan (Fuzzinglabs) and Patrick Ventuzelo (Fuzzinglabs) for reporting this issue.