AZL-60151

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-60151.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-60151

Upstream

CVE-2024-8612

Published

2024-09-20T18:15:04Z

Modified

2026-04-01T05:19:36.148718Z

Severity

3.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

CVE-2024-8612 affecting package qemu 6.2.0-26

Details

A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueuepush as set in virtioscsicompletereq / virtioblkreqcomplete / viritocryptoreqcomplete could be larger than the true size of the data which has been sent to guest. Once virtqueuepush() finally calls dmamemoryunmap to ummap the iniov, it may call the addressspacewrite function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8612

Affected packages

Azure Linux:2 / qemu

Package

Name: qemu
Purl: pkg:rpm/azure-linux/qemu

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

6.2.0-26

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-60151.json"