CVE-2024-8354

Publication date 19 September 2024

Last updated 4 March 2026

Ubuntu priority

Cvss 3 Severity Score

Description

A flaw was found in QEMU. An assertion failure was present in the usb_ep_get() function in hw/net/core.c when trying to get the USB endpoint from a USB device. This flaw may allow a malicious unprivileged guest user to crash the QEMU process on the host and cause a denial of service condition.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
qemu	25.10 questing	Fixed 1:10.1.0+ds-5ubuntu2.4
	25.04 plucky	Ignored end of life, was needed
	24.10 oracular	Ignored end of life, was deferred [2025-05-26]
	24.04 LTS noble	Fixed 1:8.2.2+ds-0ubuntu1.13
	22.04 LTS jammy	Fixed 1:6.2+dfsg-2ubuntu6.28
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Vulnerable

Notes

mdeslaur

While this was originally marked as fixed in USN-7744-1, the 3c3c233677 commit was actually for a similar bug in hcd-ohci. This CVE is for the bug in hcd-uhci. A proposed fix is: https://patchew.org/QEMU/20250915132910.1252212-1-peter.maydell@linaro.org/

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
qemu	Upstream: 3c3c233 Upstream: d0af3cd

Severity score breakdown

Parameter	Value
Base score	5.5 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H