Red Hat Advanced Virtualization

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Red Hat Advanced Virtualization.

By the Year

In 2025 there have been 4 vulnerabilities in Red Hat Advanced Virtualization with an average score of 5.6 out of ten. Last year, in 2024 Advanced Virtualization had 15 security vulnerabilities published. Right now, Advanced Virtualization is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.34

Year	Vulnerabilities	Average Score
2025	4	5.58
2024	15	5.91
2023	5	6.14

It may take a day or so for new Advanced Virtualization vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Advanced Virtualization Security Vulnerabilities

QEMU e1000 Driver Buffer Overflow Enables Host DoS
CVE-2025-12464 6.2 - Medium - October 31, 2025

A stack-based buffer overflow was found in the QEMU e1000 network device. The code for padding short frames was dropped from individual network devices and moved to the net core code. The issue stems from the device's receive code still being able to process a short frame in loopback mode. This could lead to a buffer overrun in the e1000_receive_iov() function via the loopback code path. A malicious guest user could use this vulnerability to crash the QEMU process on the host, resulting in a denial of service.

Stack Overflow

QEMU QIOChannelWebsock UAF via WebSocket handshake
CVE-2025-11234 7.5 - High - October 03, 2025

A flaw was found in QEMU. If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This can be abused by a malicious client with network access to the VNC WebSocket port to cause a denial of service during the WebSocket handshake prior to the VNC client authentication.

Dangling pointer

DoS via Block Size Mismatch in nbdkit Server
CVE-2025-47711 4.3 - Medium - June 09, 2025

There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.

off-by-five

nbdkit Blocksize Filter: DoS via Large Range Request
CVE-2025-47712 4.3 - Medium - June 09, 2025

A flaw exists in the nbdkit "blocksize" filter that can be triggered by a specific type of client request. When a client requests block status information for a very large data range, exceeding a certain limit, it causes an internal error in the nbdkit, leading to a denial of service.

Integer Overflow or Wraparound

QEMU VIRTIO (blk/scsi/crypto) Data Leak via Uninitialized Bounce Buffer
CVE-2024-8612 3.8 - Low - September 20, 2024

A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

Information Disclosure

QEMU USB Endpoint Assertion Failure (CVE20248354)
CVE-2024-8354 5.5 - Medium - September 19, 2024

A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

assertion failure

libvirt: NULL-pointer Deref Crash via 0-byte Alloc on virtinterfaced
CVE-2024-8235 6.2 - Medium - August 30, 2024

A flaw was found in libvirt. A refactor of the code fetching the list of interfaces for multiple APIs introduced a corner case on platforms where allocating 0 bytes of memory results in a NULL pointer. This corner case would lead to a NULL-pointer dereference and subsequent crash of virtinterfaced. This issue could allow clients connecting to the read-only socket to crash the virtinterfaced daemon.

NULL Pointer Dereference

libnbd Client TLS Certificate Verification Flaw Enables MITM
CVE-2024-7383 7.4 - High - August 05, 2024

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

Improper Certificate Validation

QEMU NBD Server DoS via improper socket close sync
CVE-2024-7409 - August 05, 2024

A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.

Improper Synchronization

Heap Overflow in QEMU Virtio-Net RSS
CVE-2024-6505 6.8 - Medium - July 05, 2024

A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host.

Out-of-bounds Read

QEMU qemu-img 'info' JSON DoS via crafted block device
CVE-2024-4467 7.8 - High - July 02, 2024

A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

Resource Exhaustion

QEMU Virtio PCI Crash via Improper IRQFD Release during Boot
CVE-2024-4693 5.5 - Medium - May 14, 2024

A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci.c). An improper release and use of the irqfd for vector 0 during the boot process leads to a guest triggerable crash via vhost_net_stop(). This flaw allows a malicious guest to crash the QEMU process on the host.

Operation on a Resource after Expiration or Release

libvirt Race Condition leads to stack useafterfree via virtproxyd
CVE-2024-4418 6.2 - Medium - May 08, 2024

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.

Dangling pointer

QEMU Fragmented Packet Assertion Crash (CVE-2024-3567)
CVE-2024-3567 5.5 - Medium - April 10, 2024

A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition.

assertion failure

libvirt RPC Deserialization Overalloc ULP DoS
CVE-2024-2494 6.2 - Medium - March 21, 2024

A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.

Stack Exhaustion

NULL Pointer Deref in libvirt udevConnectListAllInterfaces DoS
CVE-2024-2496 5 - Medium - March 18, 2024

A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

NULL Pointer Dereference

libvirt Unprivileged DoS via Off-By-One in udevListInterfacesByStatus
CVE-2024-1441 5.5 - Medium - March 11, 2024

An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.

off-by-five

QEMU VNC Server Null Pointer Deref in Clipboard Handling
CVE-2023-6683 6.5 - Medium - January 12, 2024

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service.

NULL Pointer Dereference

QEMU virtio-net buffer overflow during flush_tx causes info leak
CVE-2023-6693 4.9 - Medium - January 02, 2024

A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak.

Stack Overflow

QEMU L2 Guest Disk Offset Overwrite Vulnerability (CVE-2023-5088)
CVE-2023-5088 6.4 - Medium - November 03, 2023

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.

Incorrect Synchronization

libnbd: Block Size Misinterpretation Causing Client Crash
CVE-2023-5215 5.3 - Medium - September 28, 2023

A flaw was found in libnbd. A server can reply with a block size larger than 2^63 (the NBD spec states the size is a 64-bit unsigned value). This issue could lead to an application crash or other unintended behavior for NBD clients that doesn't treat the return value of the nbd_get_size() function correctly.

Improper Handling of Unexpected Data Type

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages
CVE-2023-3255 6.5 - Medium - September 13, 2023

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.

Infinite Loop

A flaw was found in libvirt
CVE-2023-3750 6.5 - Medium - July 24, 2023

A flaw was found in libvirt. The virStoragePoolObjListSearch function does not return a locked pool as expected, resulting in a race condition and denial of service when attempting to lock the same object from another thread. This issue could allow clients connecting to the read-only socket to crash the libvirt daemon.

Improper Locking

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU
CVE-2023-3019 6 - Medium - July 24, 2023

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Advanced Virtualization or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

Red Hat Advanced Virtualization
Product

Red Hat Advanced Virtualization

Don't miss out!

By the Year

Recent Red Hat Advanced Virtualization Security Vulnerabilities

QEMU e1000 Driver Buffer Overflow Enables Host DoS CVE-2025-12464 6.2 - Medium - October 31, 2025

QEMU QIOChannelWebsock UAF via WebSocket handshake CVE-2025-11234 7.5 - High - October 03, 2025

DoS via Block Size Mismatch in nbdkit Server CVE-2025-47711 4.3 - Medium - June 09, 2025

nbdkit Blocksize Filter: DoS via Large Range Request CVE-2025-47712 4.3 - Medium - June 09, 2025

QEMU VIRTIO (blk/scsi/crypto) Data Leak via Uninitialized Bounce Buffer CVE-2024-8612 3.8 - Low - September 20, 2024

QEMU USB Endpoint Assertion Failure (CVE20248354) CVE-2024-8354 5.5 - Medium - September 19, 2024

libvirt: NULL-pointer Deref Crash via 0-byte Alloc on virtinterfaced CVE-2024-8235 6.2 - Medium - August 30, 2024

libnbd Client TLS Certificate Verification Flaw Enables MITM CVE-2024-7383 7.4 - High - August 05, 2024

QEMU NBD Server DoS via improper socket close sync CVE-2024-7409 - August 05, 2024

Heap Overflow in QEMU Virtio-Net RSS CVE-2024-6505 6.8 - Medium - July 05, 2024

QEMU qemu-img 'info' JSON DoS via crafted block device CVE-2024-4467 7.8 - High - July 02, 2024

QEMU Virtio PCI Crash via Improper IRQFD Release during Boot CVE-2024-4693 5.5 - Medium - May 14, 2024

libvirt Race Condition leads to stack useafterfree via virtproxyd CVE-2024-4418 6.2 - Medium - May 08, 2024

QEMU Fragmented Packet Assertion Crash (CVE-2024-3567) CVE-2024-3567 5.5 - Medium - April 10, 2024

libvirt RPC Deserialization Overalloc ULP DoS CVE-2024-2494 6.2 - Medium - March 21, 2024

NULL Pointer Deref in libvirt udevConnectListAllInterfaces DoS CVE-2024-2496 5 - Medium - March 18, 2024

libvirt Unprivileged DoS via Off-By-One in udevListInterfacesByStatus CVE-2024-1441 5.5 - Medium - March 11, 2024

QEMU VNC Server Null Pointer Deref in Clipboard Handling CVE-2023-6683 6.5 - Medium - January 12, 2024

QEMU virtio-net buffer overflow during flush_tx causes info leak CVE-2023-6693 4.9 - Medium - January 02, 2024

QEMU L2 Guest Disk Offset Overwrite Vulnerability (CVE-2023-5088) CVE-2023-5088 6.4 - Medium - November 03, 2023

libnbd: Block Size Misinterpretation Causing Client Crash CVE-2023-5215 5.3 - Medium - September 28, 2023

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages CVE-2023-3255 6.5 - Medium - September 13, 2023

A flaw was found in libvirt CVE-2023-3750 6.5 - Medium - July 24, 2023

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU CVE-2023-3019 6 - Medium - July 24, 2023

Stay on top of Security Vulnerabilities

Red Hat Vendor

Red Hat Advanced VirtualizationProduct

QEMU e1000 Driver Buffer Overflow Enables Host DoS
CVE-2025-12464 6.2 - Medium - October 31, 2025

QEMU QIOChannelWebsock UAF via WebSocket handshake
CVE-2025-11234 7.5 - High - October 03, 2025

DoS via Block Size Mismatch in nbdkit Server
CVE-2025-47711 4.3 - Medium - June 09, 2025

nbdkit Blocksize Filter: DoS via Large Range Request
CVE-2025-47712 4.3 - Medium - June 09, 2025

QEMU VIRTIO (blk/scsi/crypto) Data Leak via Uninitialized Bounce Buffer
CVE-2024-8612 3.8 - Low - September 20, 2024

QEMU USB Endpoint Assertion Failure (CVE20248354)
CVE-2024-8354 5.5 - Medium - September 19, 2024

libvirt: NULL-pointer Deref Crash via 0-byte Alloc on virtinterfaced
CVE-2024-8235 6.2 - Medium - August 30, 2024

libnbd Client TLS Certificate Verification Flaw Enables MITM
CVE-2024-7383 7.4 - High - August 05, 2024

QEMU NBD Server DoS via improper socket close sync
CVE-2024-7409 - August 05, 2024

Heap Overflow in QEMU Virtio-Net RSS
CVE-2024-6505 6.8 - Medium - July 05, 2024

QEMU qemu-img 'info' JSON DoS via crafted block device
CVE-2024-4467 7.8 - High - July 02, 2024

QEMU Virtio PCI Crash via Improper IRQFD Release during Boot
CVE-2024-4693 5.5 - Medium - May 14, 2024

libvirt Race Condition leads to stack useafterfree via virtproxyd
CVE-2024-4418 6.2 - Medium - May 08, 2024

QEMU Fragmented Packet Assertion Crash (CVE-2024-3567)
CVE-2024-3567 5.5 - Medium - April 10, 2024

libvirt RPC Deserialization Overalloc ULP DoS
CVE-2024-2494 6.2 - Medium - March 21, 2024

NULL Pointer Deref in libvirt udevConnectListAllInterfaces DoS
CVE-2024-2496 5 - Medium - March 18, 2024

libvirt Unprivileged DoS via Off-By-One in udevListInterfacesByStatus
CVE-2024-1441 5.5 - Medium - March 11, 2024

QEMU VNC Server Null Pointer Deref in Clipboard Handling
CVE-2023-6683 6.5 - Medium - January 12, 2024

QEMU virtio-net buffer overflow during flush_tx causes info leak
CVE-2023-6693 4.9 - Medium - January 02, 2024

QEMU L2 Guest Disk Offset Overwrite Vulnerability (CVE-2023-5088)
CVE-2023-5088 6.4 - Medium - November 03, 2023

libnbd: Block Size Misinterpretation Causing Client Crash
CVE-2023-5215 5.3 - Medium - September 28, 2023

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages
CVE-2023-3255 6.5 - Medium - September 13, 2023

A flaw was found in libvirt
CVE-2023-3750 6.5 - Medium - July 24, 2023

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU
CVE-2023-3019 6 - Medium - July 24, 2023

Red Hat
Vendor

Red Hat Advanced Virtualization
Product