DescriptionA vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1036297

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)bullseye7.0.0-3+deb11u2fixed
sid, trixie10.5.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcebuster(not affected)
libvirtsourcebullseye(not affected)


[bullseye] - libvirt <not-affected> (Vulnerable code not present)
[buster] - libvirt <not-affected> (Vulnerable code not present)
Introduced in: (v7.7.0-rc1)
Fixed by: (v9.3.0)

Search for package or bug name: Reporting problems