CVE-2019-3886

An incorrect permissions check was discovered in libvirt 4.8.0 and above. The readonly permission was allowed to invoke APIs depending on the guest agent, which could lead to potentially disclosing unintended information or denial of service by causing libvirt to block.

Published: Apr 4, 2019
Updated: Nov 9, 2025
CVE: CVE-2019-3886
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS v2:

Severity: Low
Score: 4.8
AV:A/AC:L/Au:N/C:P/I:N/A:P

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
redhat / libvirt	4.8.0	5.3.0
opensuse / leap	42.3	42.3.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00105.html
http://www.securityfocus.com/bid/107777
https://access.redhat.com/errata/RHBA-2019:3723
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3886
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CYMNKXAUBZCFBBPFH64FJPH5EJH4GSU2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5DHYIFECZ7BMVXK4EP4FDFZXK7I5MZH/
https://usn.ubuntu.com/4021-1/

Vulnerability Database

CVE-2019-3886

Deep Security Visibility Without the Complexity