CVE-2021-3682
QEMU: usbredir: free() call on invalid pointer in bufp_alloc()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
Se ha encontrado un fallo en la emulación del dispositivo redirector USB de QEMU en versiones anteriores a 6.1.0-rc2. Ocurre cuando se abandonan paquetes durante una transferencia masiva desde un cliente SPICE debido a que la queue de paquetes está lleno. Un cliente SPICE malicioso podría usar este fallo para hacer que QEMU llame a la función free() con metadatos de trozos de pila falsificados, resultando en un bloqueo de QEMU o la posible ejecución de código con los privilegios del proceso QEMU en el host
A flaw was found in the USB redirector device emulation of QEMU. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-04 CVE Reserved
- 2021-08-05 CVE Published
- 2024-02-01 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-763: Release of Invalid Pointer or Reference
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html | Mailing List | |
https://security.netapp.com/advisory/ntap-20210902-0006 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1989651 | 2021-09-30 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202208-27 | 2023-03-31 | |
https://www.debian.org/security/2021/dsa-4980 | 2023-03-31 | |
https://access.redhat.com/security/cve/CVE-2021-3682 | 2021-09-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | < 6.1.0 Search vendor "Qemu" for product "Qemu" and version " < 6.1.0" | - |
Affected
| ||||||
Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | 6.1.0 Search vendor "Qemu" for product "Qemu" and version "6.1.0" | rc1 |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | advanced_virtualization |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
|