CVE-2019-3840
Published: 27 February 2019
A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service.
Notes
Author | Note |
---|---|
mdeslaur | introduced in 1.2.14 |
Priority
Status
Package | Release | Status |
---|---|---|
libvirt Launchpad, Ubuntu, Debian |
upstream |
Released
(5.0.0-1)
|
trusty |
Not vulnerable
(code not present)
|
|
xenial |
Released
(1.3.1-1ubuntu10.25)
|
|
bionic |
Released
(4.0.0-1ubuntu8.8)
|
|
cosmic |
Released
(4.6.0-2ubuntu3.4)
|
|
Patches: upstream: https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.3 |
Attack vector | Network |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Changed |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H |