Description
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| unaffected |
|
||||||||
| Red Hat | Advanced Virtualization for RHEL 8.2.1 | affected |
|
||||||
| Red Hat | Advanced Virtualization for RHEL 8.4.0.EUS | affected |
|
||||||
| Red Hat | Advanced Virtualization for RHEL 8.4.0.EUS | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8 | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8 | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.4 Telecommunications Update Service | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.6 Telecommunications Update Service | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.8 Extended Update Support | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 8.8 Extended Update Support | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 9 | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 9.2 Extended Update Support | affected |
|
||||||
| Red Hat | Red Hat Enterprise Linux 10 | unaffected | — | ||||||
| Red Hat | Red Hat Enterprise Linux 6 | unaffected | — | ||||||
| Red Hat | Red Hat Enterprise Linux 7 | unaffected | — | ||||||
| Red Hat | Red Hat Enterprise Linux 7 | unaffected | — | ||||||
| Red Hat | Red Hat Enterprise Linux 8 Advanced Virtualization | affected | — | ||||||
| Red Hat | Red Hat OpenShift Virtualization 4 | affected | — |
No data.
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Advanced Virtualization for RHEL 8.2.1 | |||
| virt:8.2-8020120240708124623.863bb0db | cpe:/a:redhat:advanced_virtualization:8.2::el8 | RHSA-2024:4727 | 2024-07-23T00:00:00Z |
| Advanced Virtualization for RHEL 8.4.0.EUS | |||
| virt:av-8040020240708093550.522a0ee4 | cpe:/a:redhat:advanced_virtualization:8.4::el8 | RHSA-2024:4724 | 2024-07-23T00:00:00Z |
| virt-devel:av-8040020240708093550.522a0ee4 | cpe:/a:redhat:advanced_virtualization:8.4::el8 | RHSA-2024:4724 | 2024-07-23T00:00:00Z |
| Red Hat Enterprise Linux 8 | |||
| virt-devel:rhel-8100020240704072441.489197e6 | cpe:/a:redhat:enterprise_linux:8 | RHSA-2024:4420 | 2024-07-09T00:00:00Z |
| virt:rhel-8100020240704072441.489197e6 | cpe:/a:redhat:enterprise_linux:8 | RHSA-2024:4420 | 2024-07-09T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | |||
| virt:rhel-8040020240703100448.522a0ee4 | cpe:/a:redhat:rhel_aus:8.4 | RHSA-2024:4374 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | |||
| virt:rhel-8040020240703100448.522a0ee4 | cpe:/a:redhat:rhel_tus:8.4 | RHSA-2024:4374 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | |||
| virt:rhel-8040020240703100448.522a0ee4 | cpe:/a:redhat:rhel_e4s:8.4 | RHSA-2024:4374 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | |||
| virt:rhel-8060020240703092415.ad008a3a | cpe:/a:redhat:rhel_aus:8.6 | RHSA-2024:4373 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | |||
| virt:rhel-8060020240703092415.ad008a3a | cpe:/a:redhat:rhel_tus:8.6 | RHSA-2024:4373 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | |||
| virt:rhel-8060020240703092415.ad008a3a | cpe:/a:redhat:rhel_e4s:8.6 | RHSA-2024:4373 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 8.8 Extended Update Support | |||
| virt-devel:rhel-8080020240703085245.63b34585 | cpe:/a:redhat:rhel_eus:8.8 | RHSA-2024:4372 | 2024-07-08T00:00:00Z |
| virt:rhel-8080020240703085245.63b34585 | cpe:/a:redhat:rhel_eus:8.8 | RHSA-2024:4372 | 2024-07-08T00:00:00Z |
| Red Hat Enterprise Linux 9 | |||
| qemu-kvm-17:8.2.0-11.el9_4.4 | cpe:/a:redhat:enterprise_linux:9 | RHSA-2024:4278 | 2024-07-02T00:00:00Z |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | |||
| qemu-kvm-17:6.2.0-11.el9_0.9 | cpe:/a:redhat:rhel_e4s:9.0 | RHSA-2024:4276 | 2024-07-02T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Extended Update Support | |||
| qemu-kvm-17:7.2.0-14.el9_2.11 | cpe:/a:redhat:rhel_eus:9.2 | RHSA-2024:4277 | 2024-07-02T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2024-44082 | A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. |
 Ubuntu USN |
USN-7744-1 | QEMU vulnerabilities |
References
History
Wed, 25 Feb 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-787 |
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
epss
|
epss
|
Wed, 21 May 2025 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/o:redhat:enterprise_linux:10 |
Fri, 22 Nov 2024 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Tue, 12 Nov 2024 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| Metrics |
ssvc
|
Fri, 23 Aug 2024 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
Tue, 13 Aug 2024 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Qemu: 'qemu-img info' leads to host file read/write | Qemu-kvm: 'qemu-img info' leads to host file read/write |
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-02-25T20:31:18.164Z
Reserved: 2024-05-03T09:44:14.000Z
Link: CVE-2024-4467
Vulnrichment
Updated: 2024-08-22T18:03:16.787Z
NVD
Status : Deferred
Published: 2024-07-02T16:15:05.423
Modified: 2026-04-15T00:35:42.020
Link: CVE-2024-4467
Redhat
OpenCVE Enrichment
No data.