CVE-2022-2962

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Se encontró un problema de reentrada DMA en la emulación del dispositivo Tulip en QEMU. Cuando Tulip lee o escribe en el descriptor rx/tx o copia la trama rx/tx, no comprueba si la dirección de destino es su propia dirección MMIO. Esto puede causar a el dispositivo disparar los manejadores MMIO múltiples veces, posiblemente conllevando a un desbordamiento de la pila (stack, heap). Un huésped malicioso podría usar este fallo para bloquear el proceso QEMU en el host, resultando en una condición de denegación de servicio

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-08-23 CVE Reserved
2022-09-13 CVE Published
2024-04-05 EPSS Updated
2024-08-22 CVE Updated
2024-08-22 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-662: Improper Synchronization

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://gitlab.com/qemu-project/qemu/-/issues/1171	2024-08-22

URL	Date	SRC
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182	2023-06-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				>= 4.2.0 <= 7.1.0 Search vendor "Qemu" for product "Qemu" and version " >= 4.2.0 <= 7.1.0"		-		Affected