CVE-2021-4207
QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process.
Se ha encontrado un fallo en la emulación del dispositivo de visualización QXL en QEMU. Una doble obtención de los valores controlados por el huésped "cursor-)header.width" y "cursor-)header.height" puede conllevar a una asignación de un pequeño objeto cursor seguido de un posterior desbordamiento del búfer en la región heap de la memoria. Un usuario invitado con privilegios maliciosos podría usar este fallo para bloquear el proceso de QEMU en el host o ejecutar potencialmente código arbitrario dentro del contexto del proceso de QEMU
Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-13 CVE Reserved
- 2022-04-29 CVE Published
- 2025-03-21 CVE Updated
- 2025-03-21 First Exploit
- 2025-05-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://starlabs.sg/advisories/21-4207 | 2025-03-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2036966 | 2022-08-02 | |
| https://security.gentoo.org/glsa/202208-27 | 2023-11-07 | |
| https://www.debian.org/security/2022/dsa-5133 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2021-4207 | 2022-08-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Qemu Search vendor "Qemu" | Qemu Search vendor "Qemu" for product "Qemu" | < 7.0.0 Search vendor "Qemu" for product "Qemu" and version " < 7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | advanced_virtualization |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||