CVE-2023-2700

2023-05-1500:00:00

ubuntu.com

libvirt

memory leak

sr-iov pci

vulnerability

bugzilla

red hat

mdeslaur

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

A vulnerability was found in libvirt. This security flaw ouccers due to
repeatedly querying an SR-IOV PCI device’s capabilities that exposes a
memory leak caused by a failure to free the virPCIVirtualFunction array
within the parent struct’s g_autoptr cleanup.

Bugs

<https://bugzilla.redhat.com/show_bug.cgi?id=2193311 (private)>

Notes

Author	Note
mdeslaur	looks like this was introduced in: c97518d9b833a607f29b9bb02e3fbe74c011c088

OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchlibvirt< 8.0.0-1ubuntu7.5UNKNOWN
ubuntu22.10noarchlibvirt< 8.6.0-0ubuntu3.2UNKNOWN
ubuntu23.04noarchlibvirt< 9.0.0-2ubuntu1.1UNKNOWN