A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.

Amazon Linux has assessed CVE-2024-4467 for qemu-kvm. For AL1, backporting the fix as well as all the dependent changes will increase technical complexity. This will in turn increase the risk associated with this change. This risk outweighs the risk associated with the CVE and Amazon Linux will not be shipping a patch for CVE-2024-4467 on AL1 at this point.

Note: Amazon recommends upgrading to Amazon Linux 2 or Amazon Linux 2023. As a matter of general security practice, Amazon recommends to not rely on in-instance facilities for strong separation of privileges or data security compartments.