CVE-2024-32485

Vulnerability

An improper input validation vulnerability exists in Intel(R) Virtual RAID on CPU (VROC) software before version 8.6.0.2003 [1]. The flaw resides in input handling code that fails to properly validate data supplied by an authenticated local user, allowing malformed input to trigger an out-of-bounds condition or other unexpected behavior that crashes the VROC service or its driver.

Exploitation

An attacker needs local access to a system with VROC installed and must have valid authentication credentials for the operating system [1]. The attacker then submits crafted data through the VROC control interface (e.g., via the command-line utility or API) that is not sanitized. No additional privileges beyond standard user access are required; the exploit does not require administrative rights, though the VROC software typically runs with elevated privileges.

Impact

Successful exploitation leads to denial of service (DoS) by crashing the VROC service or causing the storage stack to become unresponsive [1]. This can cause loss of access to RAID volumes and potentially system instability. The impact is limited to integrity and availability of storage services; there is no indication of privilege escalation or arbitrary code execution.

Mitigation

Intel addressed this vulnerability in VROC version 8.6.0.2003, released on 2024-11-13 [1]. Users should update to the latest version from Intel's official download center. No workarounds are available. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of publication.