Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
AV:L because SPICE virtual channel is local to the VM boundary; PR:H because attacker must already control the SPICE host; C:N as no confidentiality impact is described.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow, causing the spice-vdagent daemon to crash and resulting in a Denial of Service (DoS) for the virtual machine. This issue requires the SPICE host to be untrusted or compromised for exploitation.
AnalysisAI
Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the SPICE host communicating with the target guest VM be either malicious by design or already compromised - this prerequisite is explicitly stated in the CVE description ('requires the SPICE host to be untrusted or compromised for exploitation'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.1 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H accurately reflects constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or otherwise controls a SPICE host crafts a malformed SPICE protocol message embedding a length or count value engineered to overflow during integer arithmetic in spice-vdagent's message parser. The overflow causes allocation of an undersized heap buffer, and the subsequent write of the full payload triggers a heap buffer overflow, crashing the spice-vdagent daemon and causing a Denial of Service for the affected guest VM. … |
| Remediation | Apply the Red Hat-issued errata update for the spice-vdagent package on affected RHEL releases (6, 7, 8, 9, 10) when published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40049
GHSA-54pp-f5wh-29jc