| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-0897 |
667 |
|
|
2022-03-25 |
2022-05-19 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the `driver->nwfilters` mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the `driver->nwfilters` object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt’s API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd). |
|
2 |
CVE-2021-4147 |
667 |
|
DoS |
2022-03-25 |
2022-05-13 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
A flaw was found in the libvirt libxl driver. A malicious guest could continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition. |
|
3 |
CVE-2021-3667 |
667 |
|
DoS |
2022-03-02 |
2022-06-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
An improper locking issue was found in the virStoragePoolLookupByTargetPath API of libvirt. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. |
|
4 |
CVE-2021-3631 |
732 |
|
|
2022-03-02 |
2022-06-04 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity. |
|
5 |
CVE-2021-3559 |
119 |
|
Overflow |
2021-05-24 |
2022-04-26 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A flaw was found in libvirt in the virConnectListAllNodeDevices API in versions before 7.0.0. It only affects hosts with a PCI device and driver that supports mediated devices (e.g., GRID driver). This flaw could be used by an unprivileged client with a read-only connection to crash the libvirt daemon by executing the 'nodedev-list' virsh command. The highest threat from this vulnerability is to system availability. |
|
6 |
CVE-2020-25637 |
415 |
|
DoS |
2020-10-06 |
2020-12-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. |
|
7 |
CVE-2020-14339 |
772 |
|
+Priv |
2020-12-03 |
2021-02-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. |
|
8 |
CVE-2020-14301 |
212 |
|
|
2021-05-27 |
2022-05-13 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command. |
|
9 |
CVE-2020-12430 |
401 |
|
DoS |
2020-04-28 |
2020-06-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service. |
|
10 |
CVE-2020-10703 |
476 |
|
DoS |
2020-06-02 |
2020-06-16 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service. |
|
11 |
CVE-2020-10701 |
862 |
|
DoS |
2021-05-27 |
2022-05-13 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A missing authorization flaw was found in the libvirt API responsible for changing the QEMU agent response timeout. This flaw allows read-only connections to adjust the time that libvirt waits for the QEMU guest agent to respond to agent commands. Depending on the timeout value that is set, this flaw can make guest agent commands fail because the agent cannot respond in time. Unprivileged users with a read-only connection could abuse this flaw to set the response timeout for all guest agent messages to zero, potentially leading to a denial of service. This flaw affects libvirt versions before 6.2.0. |
|
12 |
CVE-2019-20485 |
20 |
|
DoS |
2020-03-19 |
2020-06-16 |
2.7 |
None |
Local Network |
Low |
??? |
None |
None |
Partial |
|
qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). |
|
13 |
CVE-2019-10168 |
22 |
|
Dir. Trav. |
2019-08-02 |
2020-10-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The virConnectBaselineHypervisorCPU() and virConnectCompareHypervisorCPU() libvirt APIs, 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accept an "emulator" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. |
|
14 |
CVE-2019-10167 |
22 |
|
Dir. Trav. |
2019-08-02 |
2020-10-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges. |
|
15 |
CVE-2019-10166 |
|
|
|
2019-08-02 |
2020-10-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
It was discovered that libvirtd, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, would permit readonly clients to use the virDomainManagedSaveDefineXML() API, which would permit them to modify managed save state files. If a managed save had already been created by a privileged user, a local attacker could modify this file such that libvirtd would execute an arbitrary program when the domain was resumed. |
|
16 |
CVE-2019-10161 |
22 |
|
DoS Dir. Trav. |
2019-07-30 |
2021-03-25 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs. |
|
17 |
CVE-2019-10132 |
264 |
|
|
2019-05-22 |
2019-06-11 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
A vulnerability was found in libvirt >= 4.1.0 in the virtlockd-admin.socket and virtlogd-admin.socket systemd units. A missing SocketMode configuration parameter allows any user on the host to connect using virtlockd-admin-sock or virtlogd-admin-sock and perform administrative tasks against the virtlockd and virtlogd daemons. |
|
18 |
CVE-2019-3886 |
862 |
|
DoS |
2019-04-04 |
2021-11-02 |
4.8 |
None |
Local Network |
Low |
Not required |
Partial |
None |
Partial |
|
An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block. |
|
19 |
CVE-2019-3840 |
476 |
|
DoS |
2019-03-27 |
2019-05-05 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
A NULL pointer dereference flaw was discovered in libvirt before version 5.0.0 in the way it gets interface information through the QEMU agent. An attacker in a guest VM can use this flaw to crash libvirtd and cause a denial of service. |
|
20 |
CVE-2018-1064 |
400 |
|
|
2018-03-28 |
2018-06-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libvirt version before 4.2.0-rc1 is vulnerable to a resource exhaustion as a result of an incomplete fix for CVE-2018-5748 that affects QEMU monitor but now also triggered via QEMU guest agent. |
|
21 |
CVE-2017-1000256 |
295 |
|
|
2017-10-31 |
2020-11-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
libvirt version 2.3.0 and later is vulnerable to a bad default configuration of "verify-peer=no" passed to QEMU by libvirt resulting in a failure to validate SSL/TLS certificates by default. |
|
22 |
CVE-2017-2635 |
476 |
|
DoS |
2018-08-22 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service. |
|
23 |
CVE-2016-10746 |
254 |
|
|
2019-04-18 |
2019-05-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API calls by guest agents with an RO connection, even though an RW connection was supposed to be required, a different vulnerability than CVE-2019-3886. |
|
24 |
CVE-2016-5008 |
284 |
|
Bypass |
2016-07-13 |
2018-03-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. |
|
25 |
CVE-2014-8131 |
264 |
|
DoS |
2015-01-06 |
2015-01-06 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access. |
|
26 |
CVE-2014-7823 |
255 |
|
|
2014-11-13 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE flag, which triggers the use of the VIR_DOMAIN_XML_SECURE flag. |
|
27 |
CVE-2014-3672 |
400 |
|
DoS |
2016-05-25 |
2017-09-08 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. |
|
28 |
CVE-2014-1447 |
362 |
|
DoS |
2014-01-24 |
2015-01-03 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
Race condition in the virNetServerClientStartKeepAlive function in libvirt before 1.2.1 allows remote attackers to cause a denial of service (libvirtd crash) by closing a connection before a keepalive response is sent. |
|
29 |
CVE-2013-7336 |
|
|
DoS |
2014-05-07 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
The qemuMigrationWaitForSpice function in qemu/qemu_migration.c in libvirt before 1.1.3 does not properly enter a monitor when performing seamless SPICE migration, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) by causing domblkstat to be called at the same time as the qemuMonitorGetSpiceMigrationStatus function. |
|
30 |
CVE-2013-6458 |
362 |
|
DoS |
2014-01-24 |
2015-01-03 |
6.8 |
None |
Local Network |
High |
Not required |
Complete |
Complete |
Complete |
|
Multiple race conditions in the (1) virDomainBlockStats, (2) virDomainGetBlockInf, (3) qemuDomainBlockJobImpl, and (4) virDomainGetBlockIoTune functions in libvirt before 1.2.1 do not properly verify that the disk is attached, which allows remote read-only attackers to cause a denial of service (libvirtd crash) via the virDomainDetachDeviceFlags command. |
|
31 |
CVE-2013-6457 |
264 |
|
DoS Exec Code |
2014-01-24 |
2015-01-03 |
5.2 |
None |
Local Network |
Low |
??? |
Partial |
Partial |
Partial |
|
The libxlDomainGetNumaParameters function in the libxl driver (libxl/libxl_driver.c) in libvirt before 1.2.1 does not properly initialize the nodemap, which allows local users to cause a denial of service (invalid free operation and crash) or possibly execute arbitrary code via an inactive domain to the virsh numatune command. |
|
32 |
CVE-2013-5651 |
119 |
|
DoS Overflow |
2013-09-30 |
2015-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The virBitmapParse function in util/virbitmap.c in libvirt before 1.1.2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via a crafted bitmap, as demonstrated by a large nodeset value to numatune. |
|
33 |
CVE-2013-4399 |
|
|
DoS |
2014-12-12 |
2014-12-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The remoteClientFreeFunc function in daemon/remote.c in libvirt before 1.1.3, when ACLs are used, does not set an identity, which causes event handler removal to be denied and remote attackers to cause a denial of service (use-after-free and crash) by registering an event handler and then closing the connection. |
|
34 |
CVE-2013-4297 |
119 |
|
DoS Overflow |
2013-09-30 |
2015-01-02 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The virFileNBDDeviceAssociate function in util/virfile.c in libvirt 1.1.2 and earlier allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via unspecified vectors. |
|
35 |
CVE-2013-4154 |
|
|
DoS |
2013-09-30 |
2013-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The qemuAgentCommand function in libvirt before 1.1.1, when a guest agent is not configured, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to "agent based cpu (un)plug," as demonstrated by the "virsh vcpucount foobar --guest" command. |
|
36 |
CVE-2013-2230 |
20 |
|
DoS |
2013-09-30 |
2013-10-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The qemu driver (qemu/qemu_driver.c) in libvirt before 1.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via unspecified vectors involving "multiple events registration." |
|
37 |
CVE-2013-1766 |
264 |
|
|
2013-03-20 |
2013-03-21 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
libvirt 1.0.2 and earlier sets the group owner to kvm for device files, which allows local users to write to these files via unspecified vectors. |
|
38 |
CVE-2013-0170 |
416 |
|
DoS Exec Code |
2013-02-08 |
2020-10-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the virNetMessageFree function in rpc/virnetserverclient.c in libvirt 1.0.x before 1.0.2, 0.10.2 before 0.10.2.3, 0.9.11 before 0.9.11.9, and 0.9.6 before 0.9.6.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering certain errors during an RPC connection, which causes a message to be freed without being removed from the message queue. |
|
39 |
CVE-2012-4423 |
|
|
DoS |
2012-11-19 |
2013-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table. |
|
40 |
CVE-2012-2693 |
264 |
|
|
2012-06-17 |
2013-01-15 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
|
libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices. |
|
41 |
CVE-2011-2511 |
189 |
|
DoS Exec Code Overflow Mem. Corr. |
2011-08-10 |
2017-08-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Integer overflow in libvirt before 0.9.3 allows remote authenticated users to cause a denial of service (libvirtd crash) and possibly execute arbitrary code via a crafted VirDomainGetVcpus RPC call that triggers memory corruption. |
|
42 |
CVE-2011-1486 |
399 |
|
DoS |
2011-05-31 |
2011-08-12 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
libvirtd in libvirt before 0.9.0 does not use thread-safe error reporting, which allows remote attackers to cause a denial of service (crash) by causing multiple threads to report errors at the same time. |
