CVE-2019-15890

QEMU: Slirp: use-after-free during packet reassembly

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.

libslirp versión 4.0.0, como es usado en QEMU versión 4.1.0, presenta un uso de la memoria previamente liberada en la función ip_reass en el archivo ip_input.c.

A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service.

It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. Sergej Schumilo, Cornelius Aschermann and Simon Woerner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a null pointer dereference. A local attacker in a guest could use this to cause a denial of service. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-03 CVE Reserved
2019-09-06 CVE Published
2024-08-05 CVE Updated
2025-04-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (11)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html	Mailing List
https://seclists.org/bugtraq/2020/Feb/0	Mailing List

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2019/09/06/3	2019-09-20
https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943	2019-09-20

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00034.html	2019-09-20
https://access.redhat.com/errata/RHSA-2020:0775	2019-09-20
https://usn.ubuntu.com/4191-1	2019-09-20
https://usn.ubuntu.com/4191-2	2019-09-20
https://www.debian.org/security/2020/dsa-4616	2019-09-20
https://access.redhat.com/security/cve/CVE-2019-15890	2020-11-04
https://bugzilla.redhat.com/show_bug.cgi?id=1749716	2020-11-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libslirp Project Search vendor "Libslirp Project"		Libslirp Search vendor "Libslirp Project" for product "Libslirp"				4.0.0 Search vendor "Libslirp Project" for product "Libslirp" and version "4.0.0"		-		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				4.1.0 Search vendor "Qemu" for product "Qemu" and version "4.1.0"		-		Affected