CVE-2024-26328: 
NixOS vulnerability analysis and mitigation

An issue was discovered in QEMU versions 7.1.0 through 8.2.1. The vulnerability exists in the register_vfs function within hw/pci/pcie_sriov.c, which fails to properly set NumVFs to PCI_SRIOV_TOTAL_VF, leading to mishandled interactions with hw/nvme/ctrl.c (NVD, MITRE).

The vulnerability stems from a code issue in QEMU's PCI SR-IOV (Single Root I/O Virtualization) implementation. The register_vfs function in the pcie_sriov.c file incorrectly handles the NumVFs value, which should be set to PCI_SRIOV_TOTAL_VF. This implementation flaw affects the interaction with the NVMe controller code in hw/nvme/ctrl.c. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.0 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H (NVD).

When successfully exploited, this vulnerability could lead to a Denial of Service (DoS) condition. The issue particularly affects systems utilizing QEMU's SR-IOV functionality for virtual function management (NetApp Advisory).

The vulnerability has been fixed in various distributions and versions. Ubuntu has addressed the issue in versions 24.10 (oracular) with version 1:9.0.2+ds-4ubuntu2 and 24.04 LTS (noble) with version 1:8.2.2+ds-0ubuntu1.2. The fix involves proper validation of NumVFs against TotalVFs in the SR-IOV implementation (Ubuntu Security).