CVE-2021-4206
QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Se ha encontrado un fallo en la emulación del dispositivo de visualización QXL en QEMU. Un desbordamiento de enteros en la función cursor_alloc() puede conllevar a una asignación de un pequeño objeto cursor seguido de un posterior desbordamiento del búfer en la región heap de la memoria. Este fallo permite a un usuario invitado con privilegios maliciosos bloquear el proceso QEMU en el host o ejecutar potencialmente código arbitrario dentro del contexto del proceso QEMU
An update that solves 7 vulnerabilities and has one errata is now available. This update for qemu fixes the following issues. Fixed an incomplete fix for CVE-2020-17380 and CVE-2020-25085 in sdhi controller. Fixed an integer overflow in cursor_alloc which can lead to heap buffer overflow. Fixed a double fetch in qxl_cursor ehich can lead to heap buffer overflow. Fixed a use after free issue found in hw/scsi/lsi53c895a.c. Fixed an uninitialized read during address translation that leads to a crash. Fixed a heap buffer overflow in DMA read data transfers. Fixed a heap buffer overflow in sdhci_sdma_transfer_multi_blocks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-13 CVE Reserved
- 2022-04-29 CVE Published
- 2025-03-21 CVE Updated
- 2025-03-21 First Exploit
- 2025-07-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-131: Incorrect Calculation of Buffer Size
- CWE-190: Integer Overflow or Wraparound
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://starlabs.sg/advisories/21-4206 | 2025-03-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2036998 | 2022-08-02 | |
| https://security.gentoo.org/glsa/202208-27 | 2023-11-07 | |
| https://www.debian.org/security/2022/dsa-5133 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2021-4206 | 2022-08-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | < 7.0.0 Search vendor "Qemu" for product "Qemu" and version " < 7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | advanced_virtualization |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||