DEBIAN-CVE-2024-8612

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2024-8612

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-8612.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-8612

Upstream

CVE-2024-8612

Published

2024-09-20T18:15:04Z

Modified

2025-09-18T05:18:57Z

Summary

[none]

Details

A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueuepush as set in virtioscsicompletereq / virtioblkreqcomplete / viritocryptoreqcomplete could be larger than the true size of the data which has been sent to guest. Once virtqueuepush() finally calls dmamemoryunmap to ummap the iniov, it may call the addressspacewrite function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

References

https://security-tracker.debian.org/tracker/CVE-2024-8612

Affected packages

Debian:11 / qemu

Package

Name: qemu
Purl: pkg:deb/debian/qemu?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / qemu

Package

Name: qemu
Purl: pkg:deb/debian/qemu?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / qemu

Package

Name: qemu
Purl: pkg:deb/debian/qemu?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / qemu

Package

Name: qemu
Purl: pkg:deb/debian/qemu?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "not yet assigned"
}