CVE-2023-2680: 
Alma Linux vulnerability analysis and mitigation

CVE-2023-2680 is a vulnerability that exists due to an incomplete fix for CVE-2021-3750. Specifically, the qemu-kvm package released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 was missing the fix for CVE-2021-3750. This vulnerability affects the qemu-kvm package in Red Hat Enterprise Linux systems (Red Hat Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as a Use After Free (CWE-416) issue. This is specific to the qemu-kvm packages produced by Red Hat and is not applicable to any upstream QEMU version or QEMU packages of other vendors that are not directly based on Red Hat Enterprise Linux packages (NVD).

The successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as High in the CVSS scoring (NetApp Advisory).

Red Hat has addressed this vulnerability in Red Hat Enterprise Linux 9 through the security advisory RHSA-2023:6368. Users are advised to update their qemu-kvm packages to the patched version. After installing the update, all running virtual machines need to be shut down and restarted for the fix to take effect (Red Hat Advisory).