CVE-2020-8608
QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
En libslirp versión 4.1.0, como es usado en QEMU versión 4.2.0, el archivo tcp_subr.c utiliza inapropiadamente los valores de retorno de snprintf, lo que conlleva a un desbordamiento del búfer en el código posterior.
An out-of-bounds heap buffer access flaw was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in tcp_emu() routine while emulating IRC and other protocols due to unsafe usage of the snprintf(3) function. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host.
It was discovered that the SLiRP networking implementation of the QEMU emulator did not properly manage memory under certain circumstances. An attacker could use this to cause a heap-based buffer overflow or other out- of-bounds access, which can lead to a denial of service or potentially execute arbitrary code. It was discovered that the SLiRP networking implementation of the QEMU emulator misuses snprintf return values. An attacker could use this to cause a denial of service or potentially execute arbitrary code. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-02-04 CVE Reserved
- 2020-02-06 CVE Published
- 2024-08-04 CVE Updated
- 2025-07-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-122: Heap-based Buffer Overflow
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| https://gitlab.freedesktop.org/slirp/libslirp/-/tags/v4.1.0 | Release Notes | |
| https://lists.debian.org/debian-lts-announce/2020/03/msg00015.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2020/03/msg00017.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2020/07/msg00020.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2021/02/msg00012.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20201001-0002 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843 | 2021-02-14 | |
| https://www.openwall.com/lists/oss-security/2020/02/06/2 | 2021-02-14 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html | 2021-02-14 | |
| https://security.gentoo.org/glsa/202003-66 | 2021-02-14 | |
| https://usn.ubuntu.com/4283-1 | 2021-02-14 | |
| https://www.debian.org/security/2020/dsa-4733 | 2021-02-14 | |
| https://access.redhat.com/security/cve/CVE-2020-8608 | 2020-07-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1798453 | 2020-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Libslirp Project Search vendor "Libslirp Project" | Libslirp Search vendor "Libslirp Project" for product "Libslirp" | 4.1.0 Search vendor "Libslirp Project" for product "Libslirp" and version "4.1.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||