CVE-2024-8235

NameCVE-2024-8235
DescriptionA flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1080218

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)bullseye7.0.0-3+deb11u3fixed
bookworm9.0.0-4+deb12u2fixed
sid, trixie10.10.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcebullseye(not affected)
libvirtsourcebookworm(not affected)
libvirtsource(unstable)10.7.0-11080218

Notes

[bookworm] - libvirt <not-affected> (Vulnerable code not present)
[bullseye] - libvirt <not-affected> (Vulnerable code not present)
Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/bc596f275129bc11b2c4bcf737d380c9e8aeb72d (v10.4.0-rc1)
Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/8dfb12cb77996519901b8d52c754ab564ebd10e8 (v10.7.0-rc2)

Search for package or bug name: Reporting problems