Main Vulnerability Database SB2020092526

SB2020092526 - Infinite loop in QEMU USB OHCI controller emulator

Published: September 25, 2020 Updated: December 31, 2025

Security Bulletin ID SB2020092526

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Infinite loop (CVE-ID: CVE-2020-25625)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the USB OHCI controller emulator of QEMU in hw/usb/hcd-ohci.c while servicing OHCI isochronous transfer descriptors (TD) in ohci_service_iso_td routine. A local privileged user can consume all available system resources and cause denial of service conditions.

Remediation

Install update from vendor's website.

References

http://www.openwall.com/lists/oss-security/2020/09/17/1
https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05905.html