CVE-2023-2700: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2023-2700) was discovered in libvirt, affecting versions prior to 9.3.0. The security flaw occurs due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's g_autoptr cleanup. The vulnerability was discovered in May 2023 and affects multiple operating systems including Red Hat Enterprise Linux, Fedora, and Ubuntu (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue was introduced in version v7.7.0-rc1 and was caused by a memory leak in the virPCIVirtualFunctionList cleanup process. When exploited, the vulnerability results in a memory leak of 256,000 bytes in 1,000 blocks during a single interface's XML description query (Bugzilla, GitLab).

The successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition due to memory exhaustion. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in libvirt version 9.3.0. Various distributions have released patches including Red Hat Enterprise Linux (RHSA-2023:3715 and RHSA-2023:3822), Fedora 38 (libvirt-9.0.0-4.fc38), and Ubuntu. Users are advised to upgrade to the patched versions (Fedora Update, Bugzilla).