Improper locking in libvirt - CVE-2021-4147

 

Improper locking in libvirt - CVE-2021-4147

Published: May 3, 2022


Vulnerability identifier: #VU62737
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-4147
CWE-ID: CWE-667
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: libvirt.org
Affected software:
libvirt

Detailed vulnerability description

The vulnerability allows a local user to perform a denial of service attack (DoS) on the target system.

The vulnerability exists due to double-locking error in the libvirt libxl driver in libxl/libxl_domain.c. A malicious guest can continuously reboot itself and cause libvirtd on the host to deadlock or crash, resulting in a denial of service condition


How to mitigate CVE-2021-4147

Install updates from vendor's website.

Sources