CVE-2020-14339

HIGH

Redhat Libvirt < 6.7.0 - Resource Leak

Title source: rule

Description

A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This file descriptor allows for privileged operations to happen against the device-mapper on the host. This flaw allows a malicious guest user or process to perform operations outside of their standard permissions, potentially causing serious damage to the host operating system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

References (3)

[Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1860069

[Third Party Advisory] https://security.gentoo.org/glsa/202101-22

[Third Party Advisory] https://security.gentoo.org/glsa/202210-06

Scores

CVSS v3 8.8

EPSS 0.0008

EPSS Percentile 22.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-772

Status published

Affected Products (2)

redhat/libvirt < 6.7.0

redhat/enterprise_linux

Timeline

Published Dec 03, 2020

Tracked Since Feb 18, 2026