Red Hat Rhev Hypervisor
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Rhev Hypervisor.
By the Year
In 2026 there have been 0 vulnerabilities in Red Hat Rhev Hypervisor. Rhev Hypervisor did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 10 | 6.61 |
| 2023 | 23 | 6.61 |
It may take a day or so for new Rhev Hypervisor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Rhev Hypervisor Security Vulnerabilities
oVirt: Admin can view Provider passwords via DevTools (CVE-2024-7259)
CVE-2024-7259
4.9 - Medium
- September 26, 2024
A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
Cleartext Storage of Sensitive Information
SSSD Race Condition Allows Improper User Authorization
CVE-2023-3758
7.1 - High
- April 18, 2024
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
Race Condition
Linux NVMe Driver NULL Deref via Malicious TCP Packets
CVE-2023-6356
6.5 - Medium
- February 07, 2024
A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.
NULL Pointer Dereference
Linux Kernel NVMe-over-TCP NULL ptr deref leads to DoS
CVE-2023-6535
6.5 - Medium
- February 07, 2024
A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.
NULL Pointer Dereference
Linux Kernel NVMe over TCP NULL ptr deref Kernel Panic/DoS
CVE-2023-6536
6.5 - Medium
- February 07, 2024
A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.
NULL Pointer Dereference
Remote Decrypt in TLS RSA via M2Crypto: CVE-2023-50781
CVE-2023-50781
7.5 - High
- February 05, 2024
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Observable Timing Discrepancy
Linux Kernel kTLS splice OOB write flaw CVE-2024-0646
CVE-2024-0646
7 - High
- January 17, 2024
An out-of-bounds memory write flaw was found in the Linux kernels Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Memory Corruption
OOB Read in SMB Client due to Integer Underflow CVE-2024-0565
CVE-2024-0565
6.8 - Medium
- January 15, 2024
An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.
Integer underflow
Linux Kernel UAF in bdi_writeback during disk removal leads to freed memory access
CVE-2024-0562
7.8 - High
- January 15, 2024
A use-after-free flaw was found in the Linux Kernel. When a disk is removed, bdi_unregister is called to stop further write-back and waits for associated delayed work to complete. However, wb_inode_writeback_end() may schedule bandwidth estimation work after this has completed, which can result in the timer attempting to access the recently freed bdi_writeback.
Dangling pointer
Linux Kernel DoS via nf_conntrack_netlink memory leak
CVE-2023-7192
5.5 - Medium
- January 02, 2024
A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.
Memory Leak
Linux Kernel gsm tty multiplexer race leads to local privilege escalation
CVE-2023-6546
7 - High
- December 21, 2023
A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads execute the GSMIOC_SETCONF ioctl on the same tty file descriptor with the gsm line discipline enabled, and can lead to a use-after-free problem on a struct gsm_dlci while restarting the gsm mux. This could allow a local unprivileged user to escalate their privileges on the system.
Dangling pointer
Linux Kernel SMB client OOB read in smbCalcSize
CVE-2023-6606
7.1 - High
- December 08, 2023
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
Out-of-bounds Read
Linux Kernel SMB2 OOB Read Leak (CVE-2023-6610)
CVE-2023-6610
7.1 - High
- December 08, 2023
An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
Out-of-bounds Read
Samba rpcecho RPC DoS via dcesrv_echo_TestSleep()
CVE-2023-42669
6.5 - Medium
- November 06, 2023
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
Resource Exhaustion
Samba Pipe Name Path Traversal Potential Priv Escalation
CVE-2023-3961
9.1 - Critical
- November 03, 2023
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
Directory traversal
Samba SMB Truncation via acl_xattr despite Read-Only
CVE-2023-4091
6.5 - Medium
- November 03, 2023
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
Incorrect Default Permissions
UAF in Linux NVMe/TCP nvmet_tcp_free_crypto enabling RCE
CVE-2023-5178
8.8 - High
- November 01, 2023
A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` in `nvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead to local privilege escalation.
Dangling pointer
Buffer Overflow in glibc's ld.so via GLIBC_TUNABLES env var
CVE-2023-4911
7.8 - High
- October 03, 2023
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Heap-based Buffer Overflow
Linux Kernel Local user DOS via pfn_swap_entry_to_page
CVE-2023-4732
4.7 - Medium
- October 03, 2023
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.
Race Condition within a Thread
CVE-2023-42753: Netfilter Array Indexing Bug in Linux Kernel
CVE-2023-42753
7 - High
- September 25, 2023
An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
Memory Corruption
glibc getaddrinfo NPE after NSS module missing gethostbyname3
CVE-2023-4806
5.9 - Medium
- September 18, 2023
A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
Dangling pointer
glibc Gaih_inet UAF via getaddrinfo with SUCCESS=continue/merge
CVE-2023-4813
5.9 - Medium
- September 12, 2023
A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
Dangling pointer
NULL ptr deref in vmxnet3 driver (Linux kernel) allows local DOS
CVE-2023-4459
5.5 - Medium
- August 21, 2023
A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
NULL Pointer Dereference
Local exploit: Linux kernel TUN/TAP UID init flaw bypassing network filters.
CVE-2023-4194
5.5 - Medium
- August 07, 2023
A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.
AuthZ
Use-After-Free in siaNno smsusb Module Allows Local DoS in Linux
CVE-2023-4132
5.5 - Medium
- August 03, 2023
A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.
Dangling pointer
Linux Kernel UAF in netfilter nft_pipapo_remove for local privilege escalation
CVE-2023-4004
7.8 - High
- July 31, 2023
A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.
Dangling pointer
Linux Kernel XFRM NullPointer Deref via CAP_NET_ADMIN DoS
CVE-2023-3772
5.5 - Medium
- July 25, 2023
A flaw was found in the Linux kernels IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
NULL Pointer Dereference
Linux Kernel UAF in vc_screen.c allows local crash/leak
CVE-2023-3567
7.1 - High
- July 24, 2023
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. This issue may allow an attacker with local user access to cause a system crash or leak internal kernel information.
Dangling pointer
Linux Kernel TUN/TAP OOB MemAccess PrivEsc via Malicious Packet
CVE-2023-3812
7.8 - High
- July 24, 2023
An out-of-bounds memory access flaw was found in the Linux kernels TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Memory Corruption
Samba Spotlight Path Disclosure: Server File Paths Exposed
CVE-2023-34968
5.3 - Medium
- July 20, 2023
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
Insertion of Sensitive Information Into Sent Data
Samba OOB Read in Winbind NTLM Auth Crash
CVE-2022-2127
5.9 - Medium
- July 20, 2023
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.
Out-of-bounds Read
Samba mdssvc Spotlight RPC Infinite Loop DoS
CVE-2023-34966
7.5 - High
- July 20, 2023
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
Infinite Loop
Samba mdssvc RPC Type Confusion Crash
CVE-2023-34967
5.3 - Medium
- July 20, 2023
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
Object Type Confusion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Rhev Hypervisor or by Red Hat? Click the Watch button to subscribe.
