Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2023-3255

Published: 13 September 2023

A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service.

Notes

AuthorNote
Priority reason:
This can only be used as a DoS by an authenticated user to the VNC service.

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
qemu
Launchpad, Ubuntu, Debian
upstream Needs triage

bionic Not vulnerable
(code not present)
kinetic Ignored
(end of life, was deferred [2023-07-14])
jammy Needed

lunar Needed

trusty Not vulnerable
(code not present)
xenial Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
mantic Not vulnerable
(1:8.0.4+dfsg-1ubuntu3)
Patches:
upstream: https://gitlab.com/qemu-project/qemu/-/commit/d921fea338c1059a27ce7b75309d7a2e485f710b

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H