Release of invalid pointer or reference in QEMU

#VU63778 Release of invalid pointer or reference in QEMU

Published: 2022-05-30

Vulnerability identifier: #VU63778

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3682

CWE-ID: CWE-763

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
QEMU
Client/Desktop applications / Virtualization software

Vendor: QEMU

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in the USB redirector device emulation of QEMU when dropping packets during a bulk transfer from a SPICE client. A remote user can make QEMU call free() with faked heap chunk metadata to perform a denial of service or escalate privileges on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

QEMU: 3.1.1 - 6.1.0 rc2

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1989651
http://security.netapp.com/advisory/ntap-20210902-0006/
http://lists.debian.org/debian-lts-announce/2021/09/msg00000.html
http://www.debian.org/security/2021/dsa-4980

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

VMware Tanzu Operations Manager update for QEMU

Ubuntu update for qemu

Debian update for qemu

openEuler update for qemu