CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0CVE-2020-35504
https://notcve.org/view.php?id=CVE-2020-35504
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de desreferencia del puntero NULL en el soporte de emulación SCSI de QEMU en versiones anteriores a 6.0.0. Este fallo permite a un usuario invitado privilegiado bloquear el proceso QEMU en el host, resultando en una denegación de servicio. • http://www.openwall.com/lists/oss-security/2021/04/16/3 https://bugzilla.redhat.com/show_bug.cgi?id=1909766 https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20210713-0006 https://www.openwall.com/lists/oss-security/2021/04/16/3 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3527
https://notcve.org/view.php?id=CVE-2021-3527
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. Se encontró un fallo en el dispositivo redirector USB (usb-redir) de QEMU. • https://bugzilla.redhat.com/show_bug.cgi?id=1955695 https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20210708-0008 https://www.openwall.com/lists/oss-security/ • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-3507 – QEMU: fdc: heap buffer overflow in DMA read data transfers
https://notcve.org/view.php?id=CVE-2021-3507
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory. Se encontró un desbordamiento del búfer de pila en el emulador de disquete de QEMU versiones hasta 6.0.0 (incluyéndola). Podría ocurrir en la función fdctrl_transfer_handler() en el archivo hw/block/fdc.c mientras son procesados transferencias de datos de lectura DMA desde la unidad de disquete al sistema invitado. • https://bugzilla.redhat.com/show_bug.cgi?id=1951118 https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.netapp.com/advisory/ntap-20210528-0005 https://access.redhat.com/security/cve/CVE-2021-3507 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787: Out-of-bounds Write •
CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-20221 – qemu: out-of-bound heap buffer access via an interrupt ID field
https://notcve.org/view.php?id=CVE-2021-20221
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Se encontró un problema de acceso al búfer de pila fuera de límites en el emulador ARM Generic Interrupt Controller de QEMU hasta e incluyendo qemu versión 4.2.0 en la plataforma aarch64. • http://www.openwall.com/lists/oss-security/2021/02/05/1 https://bugzilla.redhat.com/show_bug.cgi?id=1924601 https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.netapp.com/advisory/ntap-20210708-0005 https://access.redhat.com/security/cve/CVE-2021-20221 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3409
https://notcve.org/view.php?id=CVE-2021-3409
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. Se detectó que el parche para CVE-2020-17380/CVE-2020-25085 era ineficaz, por lo que QEMU era vulnerable a problemas de acceso de lectura y escritura fuera de límites que se encontraban anteriormente en el código de emulación del controlador SDHCI. Este fallo permite a un invitado privilegiado malicioso bloquear el proceso QEMU en el host, resultando en una denegación de servicio o una posible ejecución de código. • https://bugzilla.redhat.com/show_bug.cgi?id=1928146 https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20210507-0001 https://www.openwall.com/lists/oss-security/2021/03/09/1 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •