CVE-2024-8612

Advisory lineage Upstream: 0 Downstream: 10

Downstream

DEBIAN-CVE-2024-8612 MGASA-2024-0387 OPENSUSE-SU-2024:14411-1 SUSE-SU-2024:3744-1 SUSE-SU-2024:3948-1 SUSE-SU-2024:4094-1

Deferred

Published: 20 Sept 2024, 17:50

Last modified:08 Nov 2025, 08:56

Vulnerability Summary

Overall Risk (default)

low

15/100

CVSS Score

3.8 LOW

v3.1 (cve.org)

EPSS Score

0.05% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

20 Sept 2024, 17:50

Published

Vulnerability first disclosed

08 Nov 2025, 08:56

Last Modified

Vulnerability information updated

Description

A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

CVSS Metrics

v3.1•LOW•Score: 3.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS Trends

Current EPSS score: 0.05%• Percentile: 17%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.