CVE-2022-2962

Ubuntu Security Notice USN-5772-1

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Se encontró un problema de reentrada DMA en la emulación del dispositivo Tulip en QEMU. Cuando Tulip lee o escribe en el descriptor rx/tx o copia la trama rx/tx, no comprueba si la dirección de destino es su propia dirección MMIO. Esto puede causar a el dispositivo disparar los manejadores MMIO múltiples veces, posiblemente conllevando a un desbordamiento de la pila (stack, heap). Un huésped malicioso podría usar este fallo para bloquear el proceso QEMU en el host, resultando en una condición de denegación de servicio

It was discovered that QEMU incorrectly handled bulk transfers from SPICE clients. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that QEMU did not properly manage memory when it transfers the USB packets. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-08-23 CVE Reserved
2022-09-13 CVE Published
2024-08-22 CVE Updated
2024-08-22 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-662: Improper Synchronization

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://gitlab.com/qemu-project/qemu/-/issues/1171	2024-08-22

URL	Date	SRC
https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182	2023-06-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				>= 4.2.0 <= 7.1.0 Search vendor "Qemu" for product "Qemu" and version " >= 4.2.0 <= 7.1.0"		-		Affected