CVE-2024-6505

July 5, 2024, 5:10 p.m.

6.0
Medium

Description

A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.

Product(s) Impacted

Product Versions
QEMU

Weaknesses

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/security/cve/CVE-2024-6505
https://bugzilla.redhat.com/show_bug.cgi?id=2295760

Tags

secalert@redhat.com
CWE-125
2024-07-05
CVE-2024-6505

CVSS Score

6.0 / 10

CVSS Data

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: CHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

Date

  • Published: July 5, 2024, 2:15 p.m.
  • Last Modified: July 5, 2024, 5:10 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

secalert@redhat.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.