CVE-2019-10167

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-10167

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10167.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-10167

Downstream

ALPINE-CVE-2019-10167

DEBIAN-CVE-2019-10167

DLA-1832-1

DSA-4469-1

RHSA-2019:1579

RHSA-2019:1580

RHSA-2019:1699

RHSA-2019:1762

SUSE-SU-2019:1599-1

SUSE-SU-2019:1637-1

SUSE-SU-2019:1643-1

SUSE-SU-2019:1686-1

SUSE-SU-2019:2105-1

SUSE-SU-2019:2227-1

SUSE-SU-2019:2227-2

UBUNTU-CVE-2019-10167

USN-4047-1

openSUSE-SU-2019:1672-1

openSUSE-SU-2019:1753-1

openSUSE-SU-2024:11008-1

Related

Published

2019-08-02T13:15:12Z

Modified

2025-08-09T19:01:27Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The virConnectGetDomainCapabilities() libvirt API, versions 4.x.x before 4.10.1 and 5.x.x before 5.4.1, accepts an "emulatorbin" argument to specify the program providing emulation for a domain. Since v1.2.19, libvirt will execute that program to probe the domain's capabilities. Read-only clients could specify an arbitrary path for this argument, causing libvirtd to execute a crafted executable with its own privileges.

References

Affected packages