Name of the Vulnerable Software and Affected Versions:

spice-vdagent versions 0.20 and prior

Description:

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability.

Recommendations:

For spice-vdagent versions 0.20 and prior, consider disabling the spice-vdagentd daemon until a patch is available to prevent potential denial of service or information leakage. Restrict access to the spice-vdagentd daemon to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.