CVE-2020-12430

moderate-risk

Published 2020-04-28

An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemu_driver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service.

Do I need to act?

-

0.86% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

6

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Libvirt

Enterprise Linux

Affected Vendors

Redhat

References (14)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1804548

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1828190

https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=9bf9e0ae6af38c806f4672ca7b...

https://lists.debian.org/debian-lts-announce/2024/04/msg00000.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.netapp.com/advisory/ntap-20200518-0003/

https://usn.ubuntu.com/4371-1/

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1804548

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1828190

https://libvirt.org/git/?p=libvirt.git%3Ba=commit%3Bh=9bf9e0ae6af38c806f4672ca7b...

https://lists.debian.org/debian-lts-announce/2024/04/msg00000.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://security.netapp.com/advisory/ntap-20200518-0003/

https://usn.ubuntu.com/4371-1/

34

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 7/34 · Low