CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 1CVE-2021-3750 – QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free
https://notcve.org/view.php?id=CVE-2021-3750
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. • https://bugzilla.redhat.com/show_bug.cgi?id=1999073 https://gitlab.com/qemu-project/qemu/-/issues/541 https://gitlab.com/qemu-project/qemu/-/issues/556 https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220624-0003 https://access.redhat.com/security/cve/CVE-2021-3750 • CWE-416: Use After Free •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 1CVE-2021-4206 – QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow
https://notcve.org/view.php?id=CVE-2021-4206
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. Se ha encontrado un fallo en la emulación del dispositivo de visualización QXL en QEMU. Un desbordamiento de enteros en la función cursor_alloc() puede conllevar a una asignación de un pequeño objeto cursor seguido de un posterior desbordamiento del búfer en la región heap de la memoria. • https://bugzilla.redhat.com/show_bug.cgi?id=2036998 https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://starlabs.sg/advisories/21-4206 https://www.debian.org/security/2022/dsa-5133 https://access.redhat.com/security/cve/CVE-2021-4206 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-131: Incorrect Calculation of Buffer Size CWE-190: Integer Overflow or Wraparound •
CVSS: 8.2EPSS: 0%CPEs: 5EXPL: 1CVE-2021-4207 – QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow
https://notcve.org/view.php?id=CVE-2021-4207
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. Se ha encontrado un fallo en la emulación del dispositivo de visualización QXL en QEMU. Una doble obtención de los valores controlados por el huésped "cursor-)header.width" y "cursor-)header.height" puede conllevar a una asignación de un pequeño objeto cursor seguido de un posterior desbordamiento del búfer en la región heap de la memoria. • https://bugzilla.redhat.com/show_bug.cgi?id=2036966 https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://starlabs.sg/advisories/21-4207 https://www.debian.org/security/2022/dsa-5133 https://access.redhat.com/security/cve/CVE-2021-4207 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 3.2EPSS: 0%CPEs: 3EXPL: 0CVE-2022-26354 – QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak
https://notcve.org/view.php?id=CVE-2022-26354
A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. Se ha encontrado un fallo en el dispositivo vhost-vsock de QEMU. En caso de error, un elemento inválido no era desprendido de la virtqueue antes de liberar su memoria, conllevando a una pérdida de memoria y otros resultados no esperados. • https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220425-0003 https://www.debian.org/security/2022/dsa-5133 https://access.redhat.com/security/cve/CVE-2022-26354 https://bugzilla.redhat.com/show_bug.cgi?id=2063257 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26353 – QEMU: virtio-net: map leaking on error during receive
https://notcve.org/view.php?id=CVE-2022-26353
A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. Se ha encontrado un fallo en el dispositivo virtio-net de QEMU. Este fallo fue introducido inadvertidamente con la corrección de CVE-2021-3748, que olvidaba desmapear los elementos de virtqueue almacenados en caché en caso de error, conllevando a pérdidas de memoria y otros resultados no esperados. • https://gitlab.com/qemu-project/qemu/-/commit/abe300d9d894f7138e1af7c8e9c88c04bfe98b37 https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220425-0003 https://www.debian.org/security/2022/dsa-5133 https://access.redhat.com/security/cve/CVE-2022-26353 https://bugzilla.redhat.com/show_bug.cgi?id=2063197 • CWE-772: Missing Release of Resource after Effective Lifetime •