Izik Eidus

**Name of the Vulnerable Software and Affected Versions** macOS versions prior to 10.12.4 **Description** The issue is related to the Hypervisor component in macOS, which lacks protection of service data. This allows a local attacker to obtain sensitive information via unspecified vectors. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For macOS versions prior to 10.12.4, update to version 10.12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Hypervisor component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.3 **Description** The issue allows local users to cause a denial of service via unspecified vectors. **Recommendations** For versions prior to 10.10.3, update to version 10.10.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** libspice versions as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 qspice version 0.3.0 **Description** The issue is related to the improper restriction of addresses for memory-management actions, which can be exploited by guest OS users. This can lead to a denial of service, causing the guest OS to crash, or potentially allow users to gain privileges via unspecified vectors. **Recommendations** For libspice as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, consider restricting memory-management actions to authorized addresses until a patch is available. For qspice version 0.3.0, restrict access to memory-management functions to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Virtualization (RHEV) version 2.2 KVM version 83 **Description** The issue is related to the QEMU-KVM component in the Hypervisor, which does not properly validate guest QXL driver pointers. This can allow guest OS users to cause a denial of service, resulting in an invalid pointer dereference and a guest OS crash. It is also possible for attackers to gain privileges via unspecified vectors. **Recommendations** For Red Hat Enterprise Virtualization (RHEV) version 2.2, update the QEMU-KVM component to a version that properly validates guest QXL driver pointers. For KVM version 83, update the QEMU-KVM component to a version that properly validates guest QXL driver pointers.

**Name of the Vulnerable Software and Affected Versions** libspice versions prior to 5.5-2.2 **Description** The issue allows guest OS users to read from or write to arbitrary QEMU memory by modifying the address that is used by Cairo for memory mappings. This can potentially lead to unauthorized access or modification of sensitive data. **Recommendations** For versions prior to 5.5-2.2, update to version 5.5-2.2 or later to resolve the issue.