FKIE_CVE-2024-3447

Vulnerability from fkie_nvd - Published: 2024-11-14 12:15 - Updated: 2025-11-03 20:16
Severity ?
6.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Summary
A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
References
patrick@puiterwijk.orghttps://access.redhat.com/security/cve/CVE-2024-3447Third Party Advisory
patrick@puiterwijk.orghttps://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813Exploit, Issue Tracking
patrick@puiterwijk.orghttps://bugzilla.redhat.com/show_bug.cgi?id=2274123Issue Tracking, Third Party Advisory
patrick@puiterwijk.orghttps://patchew.org/QEMU/20240404085549.16987-1-philmd@linaro.org/Broken Link
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20250425-0005/Vendor Advisory
Impacted products
Vendor Product Version
qemu qemu *
qemu qemu *
qemu qemu 9.0.0
qemu qemu 9.0.0
qemu qemu 9.0.0
qemu qemu 9.0.0
netapp hci_compute_node -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0EAD89F2-2AEA-4655-B072-E12C2AD69711",
              "versionEndExcluding": "7.2.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59D5C13B-B7C8-4057-94E6-D5B29B0C745B",
              "versionEndExcluding": "8.2.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:qemu:qemu:9.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "53B020E1-1339-4E3B-8CC3-7108309DF2F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:qemu:qemu:9.0.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "5E7620C7-95CD-4451-A485-69CF3752627B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:qemu:qemu:9.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F8EBBE5A-0A6F-4F35-AA50-CA81B15F6BDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:qemu:qemu:9.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "45846E0D-C683-4DAF-AE17-32CD8EB283F3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AFE5CAF-ACA7-4F82-BEC1-69562D75E66E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s-\u003edata_count` and the size of  `s-\u003efifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un desbordamiento de b\u00fafer basado en mont\u00f3n en la emulaci\u00f3n de dispositivo SDHCI de QEMU. El error se activa cuando tanto `s-\u0026gt;data_count` como el tama\u00f1o de `s-\u0026gt;fifo_buffer` se establecen en 0x200, lo que genera un acceso fuera de los l\u00edmites. Un invitado malintencionado podr\u00eda usar esta falla para bloquear el proceso QEMU en el host, lo que genera una condici\u00f3n de denegaci\u00f3n de servicio."
    }
  ],
  "id": "CVE-2024-3447",
  "lastModified": "2025-11-03T20:16:26.963",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.5,
        "impactScore": 4.0,
        "source": "patrick@puiterwijk.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-14T12:15:17.743",
  "references": [
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-3447"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274123"
    },
    {
      "source": "patrick@puiterwijk.org",
      "tags": [
        "Broken Link"
      ],
      "url": "https://patchew.org/QEMU/20240404085549.16987-1-philmd@linaro.org/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00042.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20250425-0005/"
    }
  ],
  "sourceIdentifier": "patrick@puiterwijk.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-122"
        }
      ],
      "source": "patrick@puiterwijk.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.