CVE-2022-26354

Publication date 16 March 2022

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
qemu	24.10 oracular	Fixed 1:6.2+dfsg-2ubuntu8
	24.04 LTS noble	Fixed 1:6.2+dfsg-2ubuntu8
	23.10 mantic	Fixed 1:6.2+dfsg-2ubuntu8
	23.04 lunar	Fixed 1:6.2+dfsg-2ubuntu8
	22.10 kinetic	Fixed 1:6.2+dfsg-2ubuntu8
	22.04 LTS jammy	Fixed 1:6.2+dfsg-2ubuntu6.2
	21.10 impish	Fixed 1:6.0+dfsg-2expubuntu1.3
	20.04 LTS focal	Fixed 1:4.2-3ubuntu6.23
	18.04 LTS bionic	Fixed 1:2.11+dfsg-1ubuntu7.40
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Ignored end of ESM support, was needed

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
qemu	Upstream: 8d1b247

Severity score breakdown

Parameter	Value
Base score	3.2 · Low
Attack vector	Local
Attack complexity	Low
Privileges required	High
User interaction	None
Scope	Changed
Confidentiality	None
Integrity impact	None
Availability impact	Low
Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L

CVE-2022-26354

Cvss 3 Severity Score

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references