Описание
An integer overflow vulnerability was found in the virtio-snd device via PCM_INFO requests from the guest. A malicious guest can provide out-of-bounds stream counts, potentially leading to unbounded memory allocation on the host and a denial of service condition.
Отчет
The qemu-kvm packages as shipped with Red Hat Enterprise Linux are not affected by this CVE. The virtio-snd device is disabled at build-time in RHEL, effectively removing the attack surface.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 6 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 7 | qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 7 | qemu-kvm-ma | Not affected | ||
| Red Hat Enterprise Linux 8 | virt:rhel/qemu-kvm | Not affected | ||
| Red Hat Enterprise Linux 9 | qemu-kvm | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-190
https://bugzilla.redhat.com/show_bug.cgi?id=2443789qemu-kvm: virtio-snd: integer overflow leading to unbounded memory allocation
5.5 Medium
CVSS3
Связанные уязвимости
5.5 Medium
CVSS3