Your submission was sent successfully! Close

CVE-2021-3713

Published: 25 August 2021

An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.

Priority

Low

CVSS 3 base score: 7.4

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(1:2.11+dfsg-1ubuntu7.37)
focal Not vulnerable
(1:4.2-3ubuntu6.17)
hirsute Ignored
(reached end-of-life)
impish
Released (1:6.0+dfsg-2expubuntu1.2)
jammy
Released (1:6.2+dfsg-2ubuntu5)
trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable