CVE-2020-27174

In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
amazonfirecracker
𝑥
< 0.21.3
amazonfirecracker
0.22.0 ≤
𝑥
< 0.22.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2020/10/23/1
https://github.com/firecracker-microvm/firecracker/issues/2177
https://github.com/firecracker-microvm/firecracker/pull/2178
https://github.com/firecracker-microvm/firecracker/pull/2179
http://www.openwall.com/lists/oss-security/2020/10/23/1
https://github.com/firecracker-microvm/firecracker/issues/2177
https://github.com/firecracker-microvm/firecracker/pull/2178
https://github.com/firecracker-microvm/firecracker/pull/2179