CVE-2024-32668
moderate-risk
Published 2024-09-05
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
Do I need to act?
-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10
High
LOCAL
/ LOW complexity
Affected Products (20)
Affected Vendors
References (2)
46
/ 100
moderate-risk
Severity
25/34 · High
Exploitability
0/34 · Minimal
Exposure
21/34 · High