Out-of-Bounds Write Vulnerability in QEMU USB Attached SCSI Emulation
CVE-2021-3713

7.4HIGH

Key Information:

Vendor

Qemu
Status
Qemu
Vendor
CVE Published:
25 August 2021

What is CVE-2021-3713?

An out-of-bounds write flaw exists within the USB Attached SCSI (UAS) device emulation of QEMU, affecting versions prior to 6.2.0-rc0. This vulnerability arises when the stream number supplied by the guest is not properly checked, potentially allowing for out-of-bounds access to specific fields within the UAS device structure. An attacker with malicious intent may exploit this flaw to crash the QEMU instance or, more severely, execute arbitrary code with the same privileges as the QEMU process running on the host system.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

QEMU qemu 6.2.0-rc0

References

https://bugzilla.redhat.com/show_bug.cgi?id=1994640
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2021/09/msg0...
mailing-listx_refsource_MLIST
https://security.netapp.com/advisory/ntap-20210923-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.