Search criteria
1715 vulnerabilities found for freebsd by freebsd
CVE-2025-24934 (GCVE-0-2025-24934)
Vulnerability from cvelistv5 – Published: 2025-10-22 17:43 – Updated: 2025-10-22 20:01
VLAI?
Summary
Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.
The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
Severity ?
5.4 (Medium)
CWE
- CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
MSc. student Omer Ben Simhon from the Hebrew University School of Computer Science and Engineering
Prof. Amit Klein from the Hebrew University School of Computer Science and Engineering
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:58:47.874750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T20:01:34.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"netinet"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "15.0-BETA2",
"versionType": "beta"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MSc. student Omer Ben Simhon from the Hebrew University School of Computer Science and Engineering"
},
{
"lang": "en",
"type": "finder",
"value": "Prof. Amit Klein from the Hebrew University School of Computer Science and Engineering"
}
],
"datePublic": "2025-10-22T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSoftware which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets\u0026nbsp;are only supposed to receive packets originating from the connected host.\u003c/div\u003e"
}
],
"value": "Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\n\n\n\n\nThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets\u00a0are only supposed to receive packets originating from the connected host."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:43:12.326Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SO_REUSEPORT_LB breaks connect(2) for UDP sockets",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-24934",
"datePublished": "2025-10-22T17:43:12.326Z",
"dateReserved": "2025-01-29T03:07:26.190Z",
"dateUpdated": "2025-10-22T20:01:34.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0662 (GCVE-0-2025-0662)
Vulnerability from cvelistv5 – Published: 2025-01-30 04:49 – Updated: 2025-02-07 17:02
VLAI?
Summary
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
Severity ?
4.9 (Medium)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Yichen Chai
Zhuo Ying Jiang Li
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T15:20:56.339386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T20:00:09.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:55.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ktrace"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yichen Chai"
},
{
"lang": "en",
"type": "finder",
"value": "Zhuo Ying Jiang Li"
}
],
"datePublic": "2025-01-29T21:33:19.000Z",
"descriptions": [
{
"lang": "en",
"value": "In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.\n\nIt is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:49:56.482Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:04.ktrace.asc"
}
],
"title": "Uninitialized kernel memory disclosure via ktrace(2)"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0662",
"datePublished": "2025-01-30T04:49:56.482Z",
"dateReserved": "2025-01-23T01:56:01.677Z",
"dateUpdated": "2025-02-07T17:02:55.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0374 (GCVE-0-2025-0374)
Vulnerability from cvelistv5 – Published: 2025-01-30 04:49 – Updated: 2025-02-07 17:02
VLAI?
Summary
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
Severity ?
6.5 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Christos Chatzaras
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T15:41:16.838358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:43:07.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:52.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"etcupdate"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christos Chatzaras"
}
],
"datePublic": "2025-01-29T21:45:18.000Z",
"descriptions": [
{
"lang": "en",
"value": "When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.\n\nAn unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:49:07.687Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:03.etcupdate.asc"
}
],
"title": "Unprivileged access to system files"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0374",
"datePublished": "2025-01-30T04:49:07.687Z",
"dateReserved": "2025-01-10T08:54:23.906Z",
"dateUpdated": "2025-02-07T17:02:52.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0373 (GCVE-0-2025-0373)
Vulnerability from cvelistv5 – Published: 2025-01-30 04:48 – Updated: 2025-02-07 17:02
VLAI?
Summary
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
Severity ?
6 (Medium)
CWE
- CWE-121 - Stack-based Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Kevin Miller
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T15:53:35.828001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:55:39.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:45.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"fs"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Miller"
}
],
"datePublic": "2025-01-29T21:31:05.000Z",
"descriptions": [
{
"lang": "en",
"value": "On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.\n\nA NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:48:03.054Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:02.fs.asc"
}
],
"title": "Buffer overflow in some filesystems via NFS"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0373",
"datePublished": "2025-01-30T04:48:03.054Z",
"dateReserved": "2025-01-10T08:47:56.804Z",
"dateUpdated": "2025-02-07T17:02:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45289 (GCVE-0-2024-45289)
Vulnerability from cvelistv5 – Published: 2024-11-12 15:06 – Updated: 2025-01-10 13:06
VLAI?
Summary
The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.
Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option.
Severity ?
7.5 (High)
CWE
- CWE-665 - Improper Initialization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Franco Fichtner
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-release",
"versionType": "custom"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-release",
"versionType": "custom"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-release",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T14:22:38.085444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T14:26:36.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-10T13:06:48.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250110-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Franco Fichtner"
}
],
"datePublic": "2024-10-29T21:32:58.000Z",
"descriptions": [
{
"lang": "en",
"value": "The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.\n\nFetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:06:08.435Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:18.ctl.asc"
}
],
"title": "Unbounded allocation in ctl(4) CAM Target Layer"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-45289",
"datePublished": "2024-11-12T15:06:08.435Z",
"dateReserved": "2024-08-26T14:20:00.870Z",
"dateUpdated": "2025-01-10T13:06:48.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39281 (GCVE-0-2024-39281)
Vulnerability from cvelistv5 – Published: 2024-11-12 15:01 – Updated: 2025-01-10 13:06
VLAI?
Summary
The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator.
Severity ?
5.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:09:13.996777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:19:19.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-10T13:06:46.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250110-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:58.000Z",
"descriptions": [
{
"lang": "en",
"value": "The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel\u0027s memory allocator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:57.151Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:18.ctl.asc"
}
],
"title": "Unbounded allocation in ctl(4) CAM Target Layer"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-39281",
"datePublished": "2024-11-12T15:01:57.151Z",
"dateReserved": "2024-08-27T16:30:55.986Z",
"dateUpdated": "2025-01-10T13:06:46.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51566 (GCVE-0-2024-51566)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:58 – Updated: 2025-11-03 20:45
VLAI?
Summary
The NVMe driver queue processing is vulernable to guest-induced infinite loops.
Severity ?
6.5 (Medium)
CWE
- CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:21:19.395074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:22:34.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:22.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The NVMe driver queue processing is vulernable to guest-induced infinite loops."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1285",
"description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:58:04.254Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) NVMe driver to guest-induced infinite loops."
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51566",
"datePublished": "2024-11-12T14:58:04.254Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:22.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51565 (GCVE-0-2024-51565)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:53 – Updated: 2025-11-03 20:45
VLAI?
Summary
The hda driver is vulnerable to a buffer over-read from a guest-controlled value.
Severity ?
6.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:46.033255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:12.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:21.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The hda driver is vulnerable to a buffer over-read from a guest-controlled value."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:53:46.211Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) hda driver buffer over-read"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51565",
"datePublished": "2024-11-12T14:53:46.211Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:21.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51564 (GCVE-0-2024-51564)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:51 – Updated: 2025-11-03 20:45
VLAI?
Summary
A guest can trigger an infinite loop in the hda audio driver.
Severity ?
7.5 (High)
CWE
- CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:13.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "13.3_p8",
"status": "affected",
"version": "13.3",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:13.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "13.4_p2",
"status": "affected",
"version": "13.4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "14.1_p6",
"status": "affected",
"version": "14.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T17:13:07.789111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:13:11.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:19.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "A guest can trigger an infinite loop in the hda audio driver."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1285",
"description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:51:51.757Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) infinite loop in the hda audio driver"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51564",
"datePublished": "2024-11-12T14:51:51.757Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:19.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51563 (GCVE-0-2024-51563)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:47 – Updated: 2025-11-03 20:45
VLAI?
Summary
The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.
Severity ?
6.5 (Medium)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:49.810681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:18.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:47:28.189Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) virtio_vq_recordon time-of-check to time-of-use race"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51563",
"datePublished": "2024-11-12T14:47:28.189Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:18.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51562 (GCVE-0-2024-51562)
Vulnerability from cvelistv5 – Published: 2024-11-12 14:44 – Updated: 2025-11-03 20:45
VLAI?
Summary
The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.
Severity ?
6.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:53.819104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:32.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:16.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:44:28.328Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) nvme_opc_get_log_page buffer over-read"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51562",
"datePublished": "2024-11-12T14:44:28.328Z",
"dateReserved": "2024-10-29T17:16:43.253Z",
"dateUpdated": "2025-11-03T20:45:16.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41721 (GCVE-0-2024-41721)
Vulnerability from cvelistv5 – Published: 2024-09-20 07:51 – Updated: 2024-09-26 15:03
VLAI?
Summary
An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.
Severity ?
8.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "14.1_p5",
"status": "affected",
"version": "14.1",
"versionType": "custom"
},
{
"lessThan": "14.0_p11",
"status": "affected",
"version": "14.0",
"versionType": "custom"
},
{
"lessThan": "13.4_p1",
"status": "affected",
"version": "13.4",
"versionType": "custom"
},
{
"lessThan": "13.3_p7",
"status": "affected",
"version": "13.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T03:55:44.914860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:13:22.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-26T15:03:10.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"umtx"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p11",
"status": "affected",
"version": "14.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-09-19T15:48:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T07:51:22.548Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:15.bhyve.asc"
}
],
"title": "bhyve(8) out-of-bounds read access via XHCI emulation"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-41721",
"datePublished": "2024-09-20T07:51:22.548Z",
"dateReserved": "2024-08-27T16:30:55.996Z",
"dateUpdated": "2024-09-26T15:03:10.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24934 (GCVE-0-2025-24934)
Vulnerability from nvd – Published: 2025-10-22 17:43 – Updated: 2025-10-22 20:01
VLAI?
Summary
Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.
The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
Severity ?
5.4 (Medium)
CWE
- CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
MSc. student Omer Ben Simhon from the Hebrew University School of Computer Science and Engineering
Prof. Amit Klein from the Hebrew University School of Computer Science and Engineering
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T19:58:47.874750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T20:01:34.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"netinet"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "15.0-BETA2",
"versionType": "beta"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MSc. student Omer Ben Simhon from the Hebrew University School of Computer Science and Engineering"
},
{
"lang": "en",
"type": "finder",
"value": "Prof. Amit Klein from the Hebrew University School of Computer Science and Engineering"
}
],
"datePublic": "2025-10-22T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSoftware which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets\u0026nbsp;are only supposed to receive packets originating from the connected host.\u003c/div\u003e"
}
],
"value": "Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\n\n\n\n\nThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets\u00a0are only supposed to receive packets originating from the connected host."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:43:12.326Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SO_REUSEPORT_LB breaks connect(2) for UDP sockets",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-24934",
"datePublished": "2025-10-22T17:43:12.326Z",
"dateReserved": "2025-01-29T03:07:26.190Z",
"dateUpdated": "2025-10-22T20:01:34.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0662 (GCVE-0-2025-0662)
Vulnerability from nvd – Published: 2025-01-30 04:49 – Updated: 2025-02-07 17:02
VLAI?
Summary
In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.
It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace.
Severity ?
4.9 (Medium)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Yichen Chai
Zhuo Ying Jiang Li
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T15:20:56.339386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T20:00:09.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:55.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ktrace"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yichen Chai"
},
{
"lang": "en",
"type": "finder",
"value": "Zhuo Ying Jiang Li"
}
],
"datePublic": "2025-01-29T21:33:19.000Z",
"descriptions": [
{
"lang": "en",
"value": "In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace.\n\nIt is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:49:56.482Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:04.ktrace.asc"
}
],
"title": "Uninitialized kernel memory disclosure via ktrace(2)"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0662",
"datePublished": "2025-01-30T04:49:56.482Z",
"dateReserved": "2025-01-23T01:56:01.677Z",
"dateUpdated": "2025-02-07T17:02:55.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0374 (GCVE-0-2025-0374)
Vulnerability from nvd – Published: 2025-01-30 04:49 – Updated: 2025-02-07 17:02
VLAI?
Summary
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.
An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved.
Severity ?
6.5 (Medium)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Christos Chatzaras
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T15:41:16.838358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:43:07.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:52.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"etcupdate"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christos Chatzaras"
}
],
"datePublic": "2025-01-29T21:45:18.000Z",
"descriptions": [
{
"lang": "en",
"value": "When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd.\n\nAn unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:49:07.687Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:03.etcupdate.asc"
}
],
"title": "Unprivileged access to system files"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0374",
"datePublished": "2025-01-30T04:49:07.687Z",
"dateReserved": "2025-01-10T08:54:23.906Z",
"dateUpdated": "2025-02-07T17:02:52.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0373 (GCVE-0-2025-0373)
Vulnerability from nvd – Published: 2025-01-30 04:48 – Updated: 2025-02-07 17:02
VLAI?
Summary
On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.
A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic.
Severity ?
6 (Medium)
CWE
- CWE-121 - Stack-based Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Kevin Miller
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-0373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T15:53:35.828001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T15:55:39.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-02-07T17:02:45.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"fs"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p1",
"status": "affected",
"version": "14.2-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Miller"
}
],
"datePublic": "2025-01-29T21:31:05.000Z",
"descriptions": [
{
"lang": "en",
"value": "On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow.\n\nA NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client. Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated. In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T04:48:03.054Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:02.fs.asc"
}
],
"title": "Buffer overflow in some filesystems via NFS"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-0373",
"datePublished": "2025-01-30T04:48:03.054Z",
"dateReserved": "2025-01-10T08:47:56.804Z",
"dateUpdated": "2025-02-07T17:02:45.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45289 (GCVE-0-2024-45289)
Vulnerability from nvd – Published: 2024-11-12 15:06 – Updated: 2025-01-10 13:06
VLAI?
Summary
The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.
Fetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option.
Severity ?
7.5 (High)
CWE
- CWE-665 - Improper Initialization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Franco Fichtner
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-release",
"versionType": "custom"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-release",
"versionType": "custom"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-release",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T14:22:38.085444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T14:26:36.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-10T13:06:48.187Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250110-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Franco Fichtner"
}
],
"datePublic": "2024-10-29T21:32:58.000Z",
"descriptions": [
{
"lang": "en",
"value": "The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option.\n\nFetch would still connect to a host presenting a certificate included in the revocation file passed to the --crl option."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-665",
"description": "CWE-665 Improper Initialization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:06:08.435Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:18.ctl.asc"
}
],
"title": "Unbounded allocation in ctl(4) CAM Target Layer"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-45289",
"datePublished": "2024-11-12T15:06:08.435Z",
"dateReserved": "2024-08-26T14:20:00.870Z",
"dateUpdated": "2025-01-10T13:06:48.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39281 (GCVE-0-2024-39281)
Vulnerability from nvd – Published: 2024-11-12 15:01 – Updated: 2025-01-10 13:06
VLAI?
Summary
The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator.
Severity ?
5.3 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-39281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:09:13.996777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:19:19.316Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-01-10T13:06:46.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250110-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:58.000Z",
"descriptions": [
{
"lang": "en",
"value": "The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel\u0027s memory allocator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:57.151Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:18.ctl.asc"
}
],
"title": "Unbounded allocation in ctl(4) CAM Target Layer"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-39281",
"datePublished": "2024-11-12T15:01:57.151Z",
"dateReserved": "2024-08-27T16:30:55.986Z",
"dateUpdated": "2025-01-10T13:06:46.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51566 (GCVE-0-2024-51566)
Vulnerability from nvd – Published: 2024-11-12 14:58 – Updated: 2025-11-03 20:45
VLAI?
Summary
The NVMe driver queue processing is vulernable to guest-induced infinite loops.
Severity ?
6.5 (Medium)
CWE
- CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:21:19.395074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:22:34.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:22.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The NVMe driver queue processing is vulernable to guest-induced infinite loops."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1285",
"description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:58:04.254Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) NVMe driver to guest-induced infinite loops."
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51566",
"datePublished": "2024-11-12T14:58:04.254Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:22.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51565 (GCVE-0-2024-51565)
Vulnerability from nvd – Published: 2024-11-12 14:53 – Updated: 2025-11-03 20:45
VLAI?
Summary
The hda driver is vulnerable to a buffer over-read from a guest-controlled value.
Severity ?
6.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:46.033255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:12.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:21.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The hda driver is vulnerable to a buffer over-read from a guest-controlled value."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:53:46.211Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) hda driver buffer over-read"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51565",
"datePublished": "2024-11-12T14:53:46.211Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:21.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51564 (GCVE-0-2024-51564)
Vulnerability from nvd – Published: 2024-11-12 14:51 – Updated: 2025-11-03 20:45
VLAI?
Summary
A guest can trigger an infinite loop in the hda audio driver.
Severity ?
7.5 (High)
CWE
- CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:13.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "13.3_p8",
"status": "affected",
"version": "13.3",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:13.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "13.4_p2",
"status": "affected",
"version": "13.4",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:14.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "14.1_p6",
"status": "affected",
"version": "14.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T17:13:07.789111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T17:13:11.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:19.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "A guest can trigger an infinite loop in the hda audio driver."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1285",
"description": "CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:51:51.757Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) infinite loop in the hda audio driver"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51564",
"datePublished": "2024-11-12T14:51:51.757Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:19.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51563 (GCVE-0-2024-51563)
Vulnerability from nvd – Published: 2024-11-12 14:47 – Updated: 2025-11-03 20:45
VLAI?
Summary
The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.
Severity ?
6.5 (Medium)
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:49.810681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:23.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:18.070Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:47:28.189Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) virtio_vq_recordon time-of-check to time-of-use race"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51563",
"datePublished": "2024-11-12T14:47:28.189Z",
"dateReserved": "2024-10-29T17:16:43.254Z",
"dateUpdated": "2025-11-03T20:45:18.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-51562 (GCVE-0-2024-51562)
Vulnerability from nvd – Published: 2024-11-12 14:44 – Updated: 2025-11-03 20:45
VLAI?
Summary
The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.
Severity ?
6.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-51562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T20:22:53.819104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T20:24:32.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T20:45:16.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250207-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bhyve"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-10-29T21:32:53.000Z",
"descriptions": [
{
"lang": "en",
"value": "The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:44:28.328Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:17.bhyve.asc"
}
],
"title": "bhyve(8) nvme_opc_get_log_page buffer over-read"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-51562",
"datePublished": "2024-11-12T14:44:28.328Z",
"dateReserved": "2024-10-29T17:16:43.253Z",
"dateUpdated": "2025-11-03T20:45:16.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41721 (GCVE-0-2024-41721)
Vulnerability from nvd – Published: 2024-09-20 07:51 – Updated: 2024-09-26 15:03
VLAI?
Summary
An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.
Severity ?
8.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
The FreeBSD Foundation
The Alpha-Omega Project
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "freebsd",
"vendor": "freebsd",
"versions": [
{
"lessThan": "14.1_p5",
"status": "affected",
"version": "14.1",
"versionType": "custom"
},
{
"lessThan": "14.0_p11",
"status": "affected",
"version": "14.0",
"versionType": "custom"
},
{
"lessThan": "13.4_p1",
"status": "affected",
"version": "13.4",
"versionType": "custom"
},
{
"lessThan": "13.3_p7",
"status": "affected",
"version": "13.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-41721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T03:55:44.914860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:13:22.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-26T15:03:10.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240926-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"umtx"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "14.1-RELEASE",
"versionType": "release"
},
{
"lessThan": "p11",
"status": "affected",
"version": "14.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "13.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p7",
"status": "affected",
"version": "13.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
},
{
"lang": "en",
"type": "sponsor",
"value": "The FreeBSD Foundation"
},
{
"lang": "en",
"type": "sponsor",
"value": "The Alpha-Omega Project"
}
],
"datePublic": "2024-09-19T15:48:49.000Z",
"descriptions": [
{
"lang": "en",
"value": "An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T07:51:22.548Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:15.bhyve.asc"
}
],
"title": "bhyve(8) out-of-bounds read access via XHCI emulation"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2024-41721",
"datePublished": "2024-09-20T07:51:22.548Z",
"dateReserved": "2024-08-27T16:30:55.996Z",
"dateUpdated": "2024-09-26T15:03:10.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-42416
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2025-11-04 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."
},
{
"lang": "es",
"value": "La funci\u00f3n ctl_report_supported_opcodes no valid\u00f3 de manera suficiente un campo proporcionado por el espacio de usuario, lo que permiti\u00f3 una escritura arbitraria en una cantidad limitada de memoria de ayuda del n\u00facleo. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."
}
],
"id": "CVE-2024-42416",
"lastModified": "2025-11-04T17:16:04.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.600",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240920-0010/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-790"
},
{
"lang": "en",
"value": "CWE-823"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-32668
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2024-11-21 09:15
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.
A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.\n\nA malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process."
},
{
"lang": "es",
"value": "Una validaci\u00f3n de los l\u00edmites insuficiente en el c\u00f3digo USB podr\u00eda provocar una escritura fuera de los l\u00edmites en el mont\u00f3n, con datos controlados por el autor de la llamada. Un software malicioso y privilegiado que se ejecute en una m\u00e1quina virtual invitada puede aprovechar la vulnerabilidad para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malicioso est\u00e1 limitado por las capacidades disponibles para el proceso bhyve."
}
],
"id": "CVE-2024-32668",
"lastModified": "2024-11-21T09:15:25.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.433",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:12.bhyve.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240920-0007/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-193"
},
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-45063
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2025-11-04 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."
},
{
"lang": "es",
"value": "La funci\u00f3n ctl_write_buffer estableci\u00f3 incorrectamente un indicador que result\u00f3 en un uso posterior a la liberaci\u00f3n del n\u00facleo cuando finaliz\u00f3 el procesamiento de un comando. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."
}
],
"id": "CVE-2024-45063",
"lastModified": "2025-11-04T17:16:14.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.830",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240920-0010/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-43102
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2024-11-21 09:35
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.\n\nA malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape."
},
{
"lang": "es",
"value": "Las eliminaciones simult\u00e1neas de ciertas asignaciones de memoria compartida an\u00f3nimas mediante la subsolicitud UMTX_SHM_DESTROY de UMTX_OP_SHM pueden provocar que se reduzca el recuento de referencias del objeto que representa la asignaci\u00f3n demasiadas veces, lo que hace que se libere demasiado pronto. Un c\u00f3digo malicioso que ejecute la subsolicitud UMTX_SHM_DESTROY en paralelo puede provocar un p\u00e1nico en el n\u00facleo o permitir m\u00e1s ataques de use-after-free, que podr\u00edan incluir la ejecuci\u00f3n de c\u00f3digo o el escape de la zona protegida de Capsicum."
}
],
"id": "CVE-2024-43102",
"lastModified": "2024-11-21T09:35:00.713",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.677",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:14.umtx.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240916-0001/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-416"
},
{
"lang": "en",
"value": "CWE-911"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-416"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-8178
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2025-11-04 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.3 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 (Critical) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."
},
{
"lang": "es",
"value": "Las funciones ctl_write_buffer y ctl_read_buffer asignaron memoria para ser devuelta al espacio de usuario, sin inicializarla. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."
}
],
"id": "CVE-2024-8178",
"lastModified": "2025-11-04T17:16:16.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 6.0,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.907",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240920-0010/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-908"
},
{
"lang": "en",
"value": "CWE-909"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-909"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-43110
Vulnerability from fkie_nvd - Published: 2024-09-05 05:15 - Updated: 2025-11-04 17:16
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| freebsd | freebsd | * | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.3 | |
| freebsd | freebsd | 13.4 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.0 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 | |
| freebsd | freebsd | 14.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E82CE719-C11D-4C34-BDF9-5AA704884289",
"versionEndExcluding": "13.3",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:-:*:*:*:*:*:*",
"matchCriteriaId": "17DAE911-21E1-4182-85A0-B9F0059DDA7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p1:*:*:*:*:*:*",
"matchCriteriaId": "ABEA48EC-24EA-4106-9465-CE66B938635F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p2:*:*:*:*:*:*",
"matchCriteriaId": "8DFB5BD0-E777-4CAA-B2E0-3F3357D06D01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p3:*:*:*:*:*:*",
"matchCriteriaId": "BC8C769C-A23E-4F61-AC42-4DA64421B096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p4:*:*:*:*:*:*",
"matchCriteriaId": "45B0589E-2E7D-4516-A8A0-88F30038EAB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.3:p5:*:*:*:*:*:*",
"matchCriteriaId": "C5CD8EF6-B119-488F-A278-8E9740E3E482",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:13.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "2F52349C-6051-4CB9-8659-763A22C31640",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:-:*:*:*:*:*:*",
"matchCriteriaId": "FA25530A-133C-4D7C-8993-D5C42D79A0B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "DB7B021E-F4AD-44AC-96AB-8ACAF8AB1B88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p1:*:*:*:*:*:*",
"matchCriteriaId": "69A72B5A-2189-4700-8E8B-1E5E7CA86C40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p2:*:*:*:*:*:*",
"matchCriteriaId": "5771F187-281B-4680-B562-EFC7441A8F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p3:*:*:*:*:*:*",
"matchCriteriaId": "0A4437F5-9DDA-4769-974E-23BFA085E0DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p4:*:*:*:*:*:*",
"matchCriteriaId": "A9C3A3D4-C9F4-41EB-B532-821AF83470B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p5:*:*:*:*:*:*",
"matchCriteriaId": "878A1F0A-087F-47D7-9CA5-A54BB8D6676A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p6:*:*:*:*:*:*",
"matchCriteriaId": "CE73CDC3-B5A7-4921-89C6-8F9DC426CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p7:*:*:*:*:*:*",
"matchCriteriaId": "50A5E650-31FB-45BE-8827-641B58A83E45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p8:*:*:*:*:*:*",
"matchCriteriaId": "D59CFDD3-AEC3-43F1-A620-0B1F0BAD9048",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:p9:*:*:*:*:*:*",
"matchCriteriaId": "44B8A489-6314-460D-90DA-AFB54298C8E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "038E5B85-7F60-4D71-8D3F-EDBF6E036CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.0:rc4-p1:*:*:*:*:*:*",
"matchCriteriaId": "BF309824-D379-4749-A1FA-BCB2987DD671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:-:*:*:*:*:*:*",
"matchCriteriaId": "79D770C6-7A57-4A49-8164-C55391F62301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p1:*:*:*:*:*:*",
"matchCriteriaId": "AA813990-8C8F-4EE8-9F2B-9F73C510A7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p2:*:*:*:*:*:*",
"matchCriteriaId": "D4DFA201-27D5-4C01-B90F-E24778943C3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:freebsd:freebsd:14.1:p3:*:*:*:*:*:*",
"matchCriteriaId": "01DD321B-E5E2-49F7-86A1-D40B13E257C7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.\n\nMalicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host."
},
{
"lang": "es",
"value": "La funci\u00f3n ctl_request_sense podr\u00eda exponer hasta tres bytes del mont\u00f3n del n\u00facleo al espacio de usuario. El software malintencionado que se ejecuta en una m\u00e1quina virtual invitada que expone virtio_scsi puede explotar las vulnerabilidades para lograr la ejecuci\u00f3n de c\u00f3digo en el host en el proceso de espacio de usuario bhyve, que normalmente se ejecuta como ra\u00edz. Tenga en cuenta que bhyve se ejecuta en un entorno aislado de Capsicum, por lo que el c\u00f3digo malintencionado est\u00e1 limitado por las capacidades disponibles para el proceso bhyve. Un iniciador iSCSI malintencionado podr\u00eda lograr la ejecuci\u00f3n remota de c\u00f3digo en el host de destino iSCSI."
}
],
"id": "CVE-2024-43110",
"lastModified": "2025-11-04T17:16:05.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-09-05T05:15:13.757",
"references": [
{
"source": "secteam@freebsd.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:11.ctl.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240920-0010/"
}
],
"sourceIdentifier": "secteam@freebsd.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "secteam@freebsd.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}