CVE-2021-20181
13.05.2021, 16:15
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.
| Vendor | Product | Version |
|---|---|---|
| qemu | qemu | 𝑥 ≤ 5.2.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| qemu |
| ||||||||||||||||||||||||
| qemu-kvm |
|
Common Weakness Enumeration
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race ConditionThe software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
References