CVE-2021-3546

Published: 02 June 2021

A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Priority

Medium

CVSS 3 base score: 8.2

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (1:5.2+dfsg-9ubuntu3.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:4.2-3ubuntu6.17)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=121841b25d72d13f8cad554363138c360f1250ea
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=b9f79858a614d95f5de875d0ca31096eaab72c3b
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=f6091d86ba9ea05f4e111b9b42ee0005c37a6779
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=63736af5a6571d9def93769431e0d7e38c6677bf
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=9f22893adcb02580aee5968f32baa2cd109b3ec2
Upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=3ea32d1355d446057c17458238db2749c52ee8f0
qemu-kvm
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist