CVE-2024-3447

Published Nov 14, 2024

Last updated 4 months ago

CVSS medium 6.0

Overview

Description
A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
Source
patrick@puiterwijk.org
NVD status
Modified
Products
qemu, hci_compute_node

Risk scores

CVSS 3.1

Type
Secondary
Base score
6
Impact score
4
Exploitability score
1.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

patrick@puiterwijk.org
CWE-122

Social media

Hype score
Not currently trending

  1. 🚨 Critical #QEMU vulnerabilities patched in #Ubuntu (USN-7744-1). CVE-2024-3446 allows guest-to-host escape & RCE. CVE-2024-3447 & CVE-2024-3567 lead to DoS. Impact: Ubuntu 22.04 LTS, 24.04 LTS. Patch NOW and restart all VMs. Read more:👉 https://t.co/twmqjxUuCm h

    @Cezar_H_Linux

    12 Sept 2025

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-3447 A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set t… https://t.co/a76xrfMtCi

    @CVEnew

    14 Nov 2024

    125 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327.•CVE-2025-54567
  2. hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327.•CVE-2025-54566
  3. Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164•CVE-2025-27423
  4. libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.•CVE-2025-24928
  5. libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.•CVE-2024-56171

References

Sources include official advisories and independent security research.