Out-of-Bounds Write Vulnerability in QEMU's vhost-user GPU Device
CVE-2021-3546

8.2HIGH

Key Information:

Vendor

Qemu
Status
Qemu
Vendor
CVE Published:
2 June 2021

What is CVE-2021-3546?

An out-of-bounds write vulnerability was identified in the vhost-user GPU device component of QEMU, present in versions up to and including 6.0. This flaw manifests when the system processes the 'VIRTIO_GPU_CMD_GET_CAPSET' command initiated by a privileged user within a guest environment. An attacker exploiting this weakness could cause the QEMU process on the host to crash, leading to a denial of service condition. In a more severe scenario, there may also be potential for unauthorized code execution with the same privileges as the vulnerable QEMU process.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

QEMU All QEMU versions up to and including 6.0

References

http://www.openwall.com/lists/oss-security/2021/05/31/1
mailing-listx_refsource_MLIST
https://bugzilla.redhat.com/show_bug.cgi?id=1958978
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210720-0008/
x_refsource_CONFIRM

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.