CVE-2024-8235

NameCVE-2024-8235
DescriptionA flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1080218

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvirt (PTS)jessie, jessie (lts)1.2.9-9+deb8u8fixed
stretch (security)3.0.0-4+deb9u5fixed
stretch (lts), stretch3.0.0-4+deb9u6fixed
buster (security), buster, buster (lts)5.0.0-4+deb10u2fixed
bullseye7.0.0-3+deb11u3fixed
bookworm9.0.0-4+deb12u2fixed
sid, trixie10.9.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvirtsourcejessie(not affected)
libvirtsourcestretch(not affected)
libvirtsourcebuster(not affected)
libvirtsourcebullseye(not affected)
libvirtsourcebookworm(not affected)
libvirtsource(unstable)10.7.0-11080218

Notes

[bookworm] - libvirt <not-affected> (Vulnerable code not present)
[bullseye] - libvirt <not-affected> (Vulnerable code not present)
Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/bc596f275129bc11b2c4bcf737d380c9e8aeb72d (v10.4.0-rc1)
Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/8dfb12cb77996519901b8d52c754ab564ebd10e8 (v10.7.0-rc2)
[buster] - libvirt <not-affected> (Vulnerable code not present)
[stretch] - libvirt <not-affected> (Vulnerable code not present)
[jessie] - libvirt <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems