CVE-2017-12194
CRITICALspice-gtk < 0.34 - Stack-based Buffer Overflow via Malicious Server Messages
Title source: llmDescription
A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-20
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3659-1/
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1501200
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103413
Scores
CVSS v3
9.8
EPSS
0.0554
EPSS Percentile
91.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-121
CWE-20
Status
published
Products (1)
spice-gtk_project/spice-gtk
< 0.34
Published
Mar 14, 2018
Tracked Since
Feb 18, 2026