CVE-2014-3633

Description

The qemuDomainGetBlockIoTune function in qemu/qemu_driver.c in libvirt before 1.2.9, when a disk has been hot-plugged or removed from the live image, allows remote attackers to cause a denial of service (crash) or read sensitive heap information via a crafted blkiotune query, which triggers an out-of-bounds read.

How to fix CVE-2014-3633

To remediate CVE-2014-3633, upgrade the affected package to a fixed version below.

• Debian/libvirt—upgrade to 1.2.8-2 or later

Is CVE-2014-3633 being exploited?

Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.8-2

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3633