A bug was reported internally about a bug in libvirt allowing a user on a read-only to change the response timeout for all guest agent messages. Changing this timeout can potentially cause some commands to fail.
Statement: This flaw did not affect the versions of `libvirt` as shipped with Red Hat Enterprise Linux 5, 6, 7, 8 and RHEL Advanced Virtualization, as they did not include the vulnerable code, which was introduced in a later version of the package. Specifically, `libvirt` API to change QEMU agent response timeout was added in `libvirt` upstream version v5.10.0.
Upstream fix: https://libvirt.org/git/?p=libvirt.git;a=commit;h=4cc90c2e62df653e909ad31fd810224bf8bcf913
Acknowledgments: Name: Lili Zhu (Red Hat)