Use-After-Free Vulnerability in QEMU's Virtio-Net Device
CVE-2021-3748

7.5HIGH

Key Information:

Vendor

Qemu
Status
Qemu (virtio-net)
Vendor
CVE Published:
23 March 2022

What is CVE-2021-3748?

A use-after-free vulnerability exists within the virtio-net device of QEMU, potentially triggered when a descriptor's address falls within the non-direct access region. This occurs if the 'num_buffers' parameter is incorrectly set after the virtqueue element is unmapped. An attacker exploiting this flaw could crash the QEMU instance, resulting in a denial of service, and in certain conditions, may gain the ability to execute arbitrary code on the host system with the privileges of the QEMU process.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

QEMU (virtio-net) Affects qemu v0.10.0 and above, Fixed In โ€“ v6.2.0-rc0 and above.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1998514
x_refsource_MISC
https://ubuntu.com/security/CVE-2021-3748
x_refsource_MISC
https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a9...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.