DescriptionAn incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs926418

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)buster5.0.0-4+deb10u1fixed
sid, trixie10.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcejessie(not affected)
libvirtsourcestretch(not affected)


[stretch] - libvirt <not-affected> (Vulnerable code not present)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
Introduced in:;a=commit;h=25736a4c7ed50c101b4f87935f350f1a39a89f6e (v4.8.0-rc1)
Fixed by:;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
Fixed by:;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60

Search for package or bug name: Reporting problems