CVE-2024-4467: 
Alma Linux vulnerability analysis and mitigation

A vulnerability (CVE-2024-4467) was discovered in the QEMU disk image utility (qemu-img) 'info' command. The vulnerability was disclosed on July 2, 2024, affecting QEMU disk image utility and its implementations in various systems (Red Hat CVE, NVD).

The vulnerability exists in the qemu-img 'info' command where a specially crafted image file containing a json:{} value describing block devices in QMP could be exploited. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required with low attack complexity (NVD).

When successfully exploited, this vulnerability can cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service. Additionally, it can allow read/write access to existing external files on the host system (Red Hat CVE, NetApp Advisory).

Red Hat has released security updates to address this vulnerability across multiple product versions, including RHEL 8.4, 8.6, 8.8, and 9.x. Users are advised to apply the appropriate security updates through the available errata advisories (RHSA-2024:4374, RHSA-2024:4373, RHSA-2024:4372).