Description
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.
CVSS breakdown
CVSS 4.0
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
High
Affected products
- cloud-hypervisor / cloud-hypervisor>= 21.0, < 51.2 – >= 21.0, < 51.2
References
- VENDOR_ADVISORYhttps://github.com/cloud-hypervisor/cloud-hypervisor/security/advisories/GHSA-f47p-p25q-83rh
- PATCHhttps://github.com/cloud-hypervisor/cloud-hypervisor/pull/8220
- PATCHhttps://github.com/cloud-hypervisor/cloud-hypervisor/commit/1314ac883c641f1045bbb06dec0de045a3894baa
- PATCHhttps://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v51.2
- PATCHhttps://github.com/cloud-hypervisor/cloud-hypervisor/releases/tag/v52.0