CVE-2021-3409

Published: 23 March 2021

The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this.

Priority

Medium

CVSS 3 base score: 5.7

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1:5.2+dfsg-9ubuntu3.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:4.2-3ubuntu6.17)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.11+dfsg-1ubuntu7.37)
Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=b263d8f928001b5cfa2a993ea43b7a5b3a1811e8
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=8be45cc947832b3c02144c9d52921f499f2d77fe
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=bc6f28995ff88f5d82c38afcfd65406f0ae375aa
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist