CVE-2024-3446 HIGH

CVE-2024-3446: Qemu: virtio: dma reentrancy issue leads to double free vulnerability

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-415
Published April 9, 2024
Last update May 2, 2025

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.

Key dates

02Disclosure timeline

April 9, 2024 CVE published
May 2, 2025 Record updated