Red Hat Enterprise Linux 9 update for qt5-qtbase

1) Time-of-check Time-of-use (TOCTOU) Race Condition

EUVDB-ID: #VU94613

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-39936

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a race condition in HTTP2 support when establishing an encrypted connection. A remote attacker can potentially force the application to send data before the encrypted() signal, leading to potential information disclosure.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for ARM 64: 9

Red Hat Enterprise Linux for Power, little endian: 9

Red Hat Enterprise Linux for IBM z Systems: 9

Red Hat Enterprise Linux for x86_64: 9

qt5-qtbase (Red Hat package): before 5.15.9-10.el9_4

External links

http://access.redhat.com/errata/RHSA-2024:4623

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.