CVE-2020-29130
QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
El archivo slirp.c en libslirp versiones hasta 4.3.1, presenta una sobrescritura del bĂșfer porque intenta leer una determinada cantidad de datos del encabezado inclusive si excede la longitud total del paquete
An out-of-bounds access issue was found in the SLiRP user networking implementation of QEMU. It could occur while processing ARP/NCSI packets, if the packet length was shorter than required to accommodate respective protocol headers and payload. A privileged guest user may use this flaw to potentially leak host information bytes.
An update that solves 15 vulnerabilities and has two fixes is now available. This update for qemu fixes the following issues. Fixed OOB access in sm501 device emulation. Fixed use-after-free in usb xhci packet handling. Fixed use-after-free in usb ehci packet handling. Fixed infinite loop in usb hcd-ohci emulation. Fixed OOB access in usb hcd-ohci emulation. Fixed guest triggerable assert in shared network handling code. Fixed infinite loop in e1000e device emulation. Fixed OOB access in atapi emulation. Fixed heap overflow in MSIx emulation. Fixed null pointer deref. In mmio ops. Fixed infinite loop in e1000 device emulation. Fixed OOB access in rtl8139 NIC emulation. Fixed OOB access in other NIC emulations. Fixed OOB access in ati-vga emulation. Fixed OOB access in SLIRP ARP/NCSI packet processing directories and log files SLE15-SP3, and openSUSE equivalents This update was imported from the SUSE:SLE-15-SP2:Update update project.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-11-26 CVE Reserved
- 2020-11-26 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2025-07-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2020/11/27/1 | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://lists.freedesktop.org/archives/slirp/2020-November/000115.html | 2024-08-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Libslirp Project Search vendor "Libslirp Project" | Libslirp Search vendor "Libslirp Project" for product "Libslirp" | <= 4.3.1 Search vendor "Libslirp Project" for product "Libslirp" and version " <= 4.3.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||