CVE-2021-4207
QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Se ha encontrado un fallo en la emulación del dispositivo de visualización QXL en QEMU. Una doble obtención de los valores controlados por el huésped "cursor-)header.width" y "cursor-)header.height" puede conllevar a una asignación de un pequeño objeto cursor seguido de un posterior desbordamiento del búfer en la región heap de la memoria. Un usuario invitado con privilegios maliciosos podría usar este fallo para bloquear el proceso de QEMU en el host o ejecutar potencialmente código arbitrario dentro del contexto del proceso de QEMU
An update that solves 7 vulnerabilities and has one errata is now available. This update for qemu fixes the following issues. Fixed an incomplete fix for CVE-2020-17380 and CVE-2020-25085 in sdhi controller. Fixed an integer overflow in cursor_alloc which can lead to heap buffer overflow. Fixed a double fetch in qxl_cursor ehich can lead to heap buffer overflow. Fixed a use after free issue found in hw/scsi/lsi53c895a.c. Fixed an uninitialized read during address translation that leads to a crash. Fixed a heap buffer overflow in DMA read data transfers. Fixed a heap buffer overflow in sdhci_sdma_transfer_multi_blocks.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-13 CVE Reserved
- 2022-04-29 CVE Published
- 2025-03-21 CVE Updated
- 2025-03-21 First Exploit
- 2025-05-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://starlabs.sg/advisories/21-4207 | 2025-03-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2036966 | 2022-08-02 | |
| https://security.gentoo.org/glsa/202208-27 | 2023-11-07 | |
| https://www.debian.org/security/2022/dsa-5133 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2021-4207 | 2022-08-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | < 7.0.0 Search vendor "Qemu" for product "Qemu" and version " < 7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | advanced_virtualization |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||