CVE-2021-3546

A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Summary:

A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Reference Links(if available):

  • https://bugzilla.redhat.com/show_bug.cgi?id=1958978
  • http://www.openwall.com/lists/oss-security/2021/05/31/1
  • https://security.netapp.com/advisory/ntap-20210720-0008/
  • https://www.debian.org/security/2021/dsa-4980
  • CVSS Score (if available)

    v2: / HIGHAV:L/AC:L/Au:N/C:P/I:P/A:P

    v3: / HIGHCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Links to Exploits(if available)