CVE-2024-41928

EPSS 0.05%
Veröffentlicht 05.09.2024 04:15:06
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secteam@freebsd.org
CVE-Watchlists
Login
Unerledigt
Login

bhyve(8) privileged guest escape via TPM device passthrough

Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerfreebsd

≫

Produkt freebsd

Default Statusunknown

Version 14.1

Version < 14.1_p4

Status affected

Version 14.0

Version < 14.0_p10

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.142

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.4	2.5	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://security.freebsd.org/advisories/FreeBSD-SA-24:10.bhyve.asc

https://security.netapp.com/advisory/ntap-20240920-0009/

https://nvd.nist.gov/vuln/detail/CVE-2024-41928

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41928

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41928

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-41928