CVE-2021-3545

Published: 02 June 2021

An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.

Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1:5.2+dfsg-9ubuntu3.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:4.2-3ubuntu6.17)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=121841b25d72d13f8cad554363138c360f1250ea
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=b9f79858a614d95f5de875d0ca31096eaab72c3b
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=f6091d86ba9ea05f4e111b9b42ee0005c37a6779
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=63736af5a6571d9def93769431e0d7e38c6677bf
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=9f22893adcb02580aee5968f32baa2cd109b3ec2
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=3ea32d1355d446057c17458238db2749c52ee8f0
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist