CVE-2024-41721

Name of the Vulnerable Software and Affected Versions FreeBSD (affected versions not specified)

Description The issue is related to an insufficient boundary validation in the USB code, which could lead to an out-of-bounds read on the heap, potentially resulting in an arbitrary write and remote code execution. This vulnerability affects the bhyve hypervisor's XHCI emulation functionality. The process bhyve typically runs with root privileges, increasing the potential impact. Although bhyve operates in an isolated environment using Capsicum, which limits available capabilities, the risk of exploitation remains. All supported versions of FreeBSD are affected, with systems using XHCI emulation being particularly vulnerable.

Recommendations To resolve the issue, update your FreeBSD system to a version that includes the fix released on September 19, 2024. After applying the updates or patches, it is crucial to restart all guest operating systems using USB devices with XHCI emulation to ensure the fixes take effect. As a temporary workaround, consider restricting the use of XHCI emulation in the bhyve hypervisor until a patch is available.