Total vulnerabilities in the database
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace.
Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 14.0 | 14.0.x |
| freebsd / freebsd | 14.0-beta5 | 14.0-beta5.x |
| freebsd / freebsd | 14.0-rc3 | 14.0-rc3.x |
| freebsd / freebsd | 14.0-rc4-p1 | 14.0-rc4-p1.x |
| freebsd / freebsd | 14.0-p1 | 14.0-p1.x |
| freebsd / freebsd | 14.0-p2 | 14.0-p2.x |
| freebsd / freebsd | 14.1 | 14.1.x |
| freebsd / freebsd | 14.1-p1 | 14.1-p1.x |
| freebsd / freebsd | 14.0-p4 | 14.0-p4.x |
| freebsd / freebsd | 14.0-p5 | 14.0-p5.x |
| freebsd / freebsd | 14.0-p6 | 14.0-p6.x |
| freebsd / freebsd | 14.0-p7 | 14.0-p7.x |
| freebsd / freebsd | 14.0-p3 | 14.0-p3.x |
| freebsd / freebsd | 13.3 | 13.3.x |
| freebsd / freebsd | 13.3-p1 | 13.3-p1.x |
| freebsd / freebsd | 13.3-p2 | 13.3-p2.x |
| freebsd / freebsd | 13.3-p3 | 13.3-p3.x |
| freebsd / freebsd | 14.1-p2 | 14.1-p2.x |
| freebsd / freebsd | 14.0-p8 | 14.0-p8.x |
| freebsd / freebsd | 13.3-p4 | 13.3-p4.x |
| freebsd / freebsd | 13.0 | 13.3 |
| freebsd / freebsd | 14.1-p3 | 14.1-p3.x |
| freebsd / freebsd | 14.0-p9 | 14.0-p9.x |
| freebsd / freebsd | 13.4-beta3 | 13.4-beta3.x |
| freebsd / freebsd | 13.3-p5 | 13.3-p5.x |